Abuse Info
This section provides general guidance about abusing this edge. For detailed instructions, see references at the end of this article.Linux
- Start the Relay Server The NTLM relay can be executed with ntlmrelayx.py.
- Coerce the Target Computer Several coercion methods are documented here: Windows Coerced Authentication Methods. Examples of tools include:
Windows
-
Take Over the SMB Port on the Attacker Host
To avoid a conflict with SMB running on the attacker-controlled Windows computer, it is necessary to takeover the SMB port. This can be achieved with
smbtakeover. - Start the Relay Server The NTLM relay can be executed with Inveigh.
- Coerce the Target Computer Several coercion methods are documented here: Windows Coerced Authentication Methods. Examples of tools include:
Opsec Considerations
NTLM relayed authentications can be detected by login events where the IP address does not match the computer’s actual IP address. This detection technique is described in the blog post: Detecting NTLM Relay Attacks.Edge Schema
Source:Authenticated Users, GroupDestination: Computer
Traversable: Yes
References
- Hackndo: NTLM relay
- Microsoft: NTLM Overview
- Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover
- Inveigh
- Windows Coerced Authentication Methods
- PetitPotam
- SpoolSample
- Beyond the Basics: Exploring Uncommon NTLM Relay Attack Techniques
- printerbug.py
- I’m bringing relaying back: A comprehensive guide on relaying anno 2022
- ntlmrelayx.py
- 2020, 2023, and 2024 LDAP channel binding and LDAP signing requirements for Windows (KB4520412)
- Detecting NTLM Relay Attacks