> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# CoerceAndRelayNTLMToSMB

> An attacker can coerce a computer to authenticate via NTLM to an SMB service on a target computer that does not enforce SMB signing, allowing the attacker to gain administrative access to the target computer.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

This edge indicates that an attacker with "Authenticated Users" access can compromise the target computer by relaying the NTLM authentication of a victim computer with administrative rights on the target computer. The attack is possible because the attacker can trigger SMB-based coercion from the victim computer to their attacker-controlled host, and the target computer does not enforce SMB signing.

## Abuse Info

This section provides general guidance about abusing this edge. For detailed instructions, see [references](#references) at the end of this article.

### Linux

1. **Start the Relay Server**

   The NTLM relay can be executed with [ntlmrelayx.py](https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py).

2. **Coerce the Target Computer**

   Several coercion methods are documented here: [Windows Coerced Authentication Methods](https://github.com/p0dalirius/windows-coerced-authentication-methods).

   Examples of tools include:

   * [printerbug.py](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py)
   * [PetitPotam](https://github.com/topotam/PetitPotam)

### Windows

1. **Take Over the SMB Port on the Attacker Host**

   To avoid a conflict with SMB running on the attacker-controlled Windows computer, it is necessary to takeover the SMB port. This can be achieved with `smbtakeover`.

2. **Start the Relay Server**

   The NTLM relay can be executed with [Inveigh](https://github.com/Kevin-Robertson/Inveigh).

3. **Coerce the Target Computer**

   Several coercion methods are documented here: [Windows Coerced Authentication Methods](https://github.com/p0dalirius/windows-coerced-authentication-methods).

   Examples of tools include:

   * [SpoolSample](https://github.com/leechristensen/SpoolSample)
   * [PetitPotam](https://github.com/topotam/PetitPotam)

## Opsec Considerations

NTLM relayed authentications can be detected by login events where the IP address does not match the computer's actual IP address. This detection technique is described in the blog post: [Detecting NTLM Relay Attacks](https://posts.bluraven.io/detecting-ntlm-relay-attacks-d92e99e68fb9).

## Edge Schema

Source: `Authenticated Users`, [Group](/resources/nodes/group)\
Destination: [Computer](/resources/nodes/computer)\
Traversable: **Yes**

## References

* [Hackndo: NTLM relay](https://en.hackndo.com/ntlm-relay/)
* [Microsoft: NTLM Overview](https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview)
* [Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover](https://specterops.io/blog/2024/08/01/relay-your-heart-away-an-opsec-conscious-approach-to-445-takeover/)
* [Inveigh](https://github.com/Kevin-Robertson/Inveigh)
* [Windows Coerced Authentication Methods](https://github.com/p0dalirius/windows-coerced-authentication-methods)
* [PetitPotam](https://github.com/topotam/PetitPotam)
* [SpoolSample](https://github.com/leechristensen/SpoolSample)
* [Beyond the Basics: Exploring Uncommon NTLM Relay Attack Techniques](https://www.guidepointsecurity.com/blog/beyond-the-basics-exploring-uncommon-ntlm-relay-attack-techniques/)
* [printerbug.py](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py)
* [I'm bringing relaying back: A comprehensive guide on relaying anno 2022](https://trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022)
* [ntlmrelayx.py](https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py)
* [2020, 2023, and 2024 LDAP channel binding and LDAP signing requirements for Windows (KB4520412)](https://support.microsoft.com/en-us/topic/2020-2023-and-2024-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a)
* [Detecting NTLM Relay Attacks](https://posts.bluraven.io/detecting-ntlm-relay-attacks-d92e99e68fb9)