Abuse Info
This section provides general guidance about abusing this edge. For detailed instructions, see references at the end of this article.Linux
-
Start the Relay Server
The NTLM relay can be executed with ntlmrelayx.py. To relay to LDAP and perform a Shadow Credentials attack against the target computer:
-
Coerce the Target Computer
Several coercion methods are documented here: Windows Coerced Authentication Methods.
Examples of tools include:
To trigger WebClient coercion (instead of regular SMB coercion), the listener must use a WebDAV Connection String format:
\\SERVER_NETBIOS@PORT/PATH/TO/FILE.
Windows
- Start the Relay Server The NTLM relay can be executed with Inveigh.
-
Coerce the Target Computer
Several coercion methods are documented here: Windows Coerced Authentication Methods.
Examples of tools include:
To trigger WebClient coercion (instead of regular SMB coercion), the listener must use a WebDAV Connection String format:
\\SERVER_NETBIOS@PORT/PATH/TO/FILE.
Opsec Considerations
NTLM relayed authentications can be detected by login events where the IP address does not match the computer’s actual IP address. This detection technique is described in the blog post: Detecting NTLM Relay Attacks.Edge Schema
Source:Authenticated Users, GroupDestination: Computer
Traversable: Yes
References
- Hackndo: NTLM relay
- Microsoft: NTLM Overview
- Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover
- Inveigh
- Windows Coerced Authentication Methods
- PetitPotam
- SpoolSample
- Beyond the Basics: Exploring Uncommon NTLM Relay Attack Techniques
- printerbug.py
- I’m bringing relaying back: A comprehensive guide on relaying anno 2022
- ntlmrelayx.py
- 2020, 2023, and 2024 LDAP channel binding and LDAP signing requirements for Windows (KB4520412)
- Detecting NTLM Relay Attacks