Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Relay Attacks

Information

Relay attacks forward an authentication exchange to another service instead of cracking it. We capture or coerce authentication from a user or machine, relay that authentication to a target service, and perform an action as the relayed principal.

NTLM relay works because the NTLM response is not inherently bound to the service that triggered it. Kerberos relay is different: Kerberos is normally service-bound, so Kerberos relay depends on service validation mistakes, SPN control, or service behavior that fails to enforce the expected binding.

The workflow is always the same. Choose a relay target, confirm whether protections block relay, start the listener, trigger authentication, perform the relay action, then use the resulting access. The target service matters more than the source: SMB relay usually gives command execution only when the relayed identity is local admin on the target, LDAP relay gives directory modification primitives, and ADCS relay gives certificate material.

Tools used in this section include Impacket ntlmrelayx, Responder, Inveigh, Coercer, PetitPotam, krbrelayx, NetExec, Certipy, and PKINITtools.

Lab defaults

Domain: ootw.local
DC: 10.10.10.200
Kali: 10.10.10.100
Win10: 10.10.10.201
Student user: student
Student password: student

Common variables

export DOMAIN=ootw.local
export DC=10.10.10.200
export ATTACKER=10.10.10.100
export USER=student
export PASS='student'

Relay phases

Source: poisoning, coerced authentication, file trigger, SQL UNC path, user browsing
Listener: ntlmrelayx, Responder, Inveigh, krbrelayx
Target: SMB, LDAP, LDAPS, ADCS HTTP, MSSQL, HTTP
Action: command execution, RBCD, shadow credentials, ADCS certificate, add computer, dump secrets
Follow-up: use ticket, use certificate, abuse RBCD, dump secrets, move laterally
Cleanup: remove added computers, remove RBCD, remove shadow credentials, kill listeners, revoke certificates

Hard blockers

SMB signing required blocks classic NTLM relay to SMB.
LDAP signing blocks simple NTLM relay to LDAP.
LDAP channel binding blocks many relays to LDAPS.
Extended Protection for Authentication blocks many relays to ADCS web enrollment.
NTLM disabled blocks NTLM relay but not Kerberos relay.
Local admin is required for SMB relay command execution.
Directory write rights are required for LDAP relay impact.
Enrollment rights are required for ADCS relay impact.