Relay attacks forward an authentication exchange to another service instead of cracking it. We capture or coerce authentication from a user or machine, relay that authentication to a target service, and perform an action as the relayed principal.
NTLM relay works because the NTLM response is not inherently bound to the service that triggered it. Kerberos relay is different: Kerberos is normally service-bound, so Kerberos relay depends on service validation mistakes, SPN control, or service behavior that fails to enforce the expected binding.
The workflow is always the same. Choose a relay target, confirm whether protections block relay, start the listener, trigger authentication, perform the relay action, then use the resulting access. The target service matters more than the source: SMB relay usually gives command execution only when the relayed identity is local admin on the target, LDAP relay gives directory modification primitives, and ADCS relay gives certificate material.
Tools used in this section include Impacket ntlmrelayx, Responder, Inveigh, Coercer, PetitPotam, krbrelayx, NetExec, Certipy, and PKINITtools.
Lab defaults
Domain: ootw.local
DC: 10.10.10.200
Kali: 10.10.10.100
Win10: 10.10.10.201
Student user: student
Student password: student
Common variables
export DOMAIN=ootw.local
export DC=10.10.10.200
export ATTACKER=10.10.10.100
export USER=student
export PASS='student'
Relay phases
Source: poisoning, coerced authentication, file trigger, SQL UNC path, user browsing
Listener: ntlmrelayx, Responder, Inveigh, krbrelayx
Target: SMB, LDAP, LDAPS, ADCS HTTP, MSSQL, HTTP
Action: command execution, RBCD, shadow credentials, ADCS certificate, add computer, dump secrets
Follow-up: use ticket, use certificate, abuse RBCD, dump secrets, move laterally
Cleanup: remove added computers, remove RBCD, remove shadow credentials, kill listeners, revoke certificates
Hard blockers
SMB signing required blocks classic NTLM relay to SMB.
LDAP signing blocks simple NTLM relay to LDAP.
LDAP channel binding blocks many relays to LDAPS.
Extended Protection for Authentication blocks many relays to ADCS web enrollment.
NTLM disabled blocks NTLM relay but not Kerberos relay.
Local admin is required for SMB relay command execution.
Directory write rights are required for LDAP relay impact.
Enrollment rights are required for ADCS relay impact.