Documentation
Impacket
NTLMRelayX

NTLMRelayX

NTLMRelayX Usage Guide

NTLMRelayX is a powerful tool included in the Impacket suite that allows attackers to relay NTLM authentication requests from a target system to another network service, enabling lateral movement, credential harvesting, and various attacks such as privilege escalation. This guide will walk you through the basic setup and usage of NTLMRelayX.

Prerequisites:

  • Install Impacket (latest version)
  • Administrative access to a system where the tool will be run
  • Knowledge of the target network and systems

1. Installing Impacket and NTLMRelayX

If you don’t have Impacket installed, you can install it using Python’s pip:

git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
pip install .

This will install the necessary dependencies and tools, including NTLMRelayX.

2. Setting up NTLMRelayX

NTLMRelayX relays incoming NTLM authentication to other protocols such as SMB, HTTP, LDAP, and others. You can relay these requests to systems that support NTLM authentication without requiring any credentials.

Basic Usage:

ntlmrelayx.py -h

This will show you all the available options for NTLMRelayX.

3. Common NTLMRelayX Attack Scenarios

a. SMB to SMB Relay

This attack relays NTLM authentication from one SMB service to another SMB service. It’s useful for accessing shares or performing attacks such as pass-the-hash.

ntlmrelayx.py -tf targets.txt -smb2support
  • -tf targets.txt: This specifies a list of target systems.
  • -smb2support: Enables support for SMBv2, commonly used in modern networks.

b. SMB to LDAP Relay (Adding a computer account)

This attack relays NTLM authentication to an LDAP service, often running on a Domain Controller (DC). Once relayed, you can add a computer account to the domain, which can then be used for further attacks such as Resource-Based Constrained Delegation (RBCD).

ntlmrelayx.py -t ldap://<DC-IP> --add-computer
  • -t ldap://<DC-IP>: Specifies the LDAP service running on the domain controller.
  • --add-computer: Automatically adds a new computer account to the domain, enabling future attacks.

c. HTTP to SMB Relay

You can relay authentication requests from an HTTP service to an SMB service. This is useful when targeting web applications or proxies that use NTLM authentication.

ntlmrelayx.py -t smb://<TARGET-IP>
  • -t smb://<TARGET-IP>: Specifies the target SMB service to relay to.

d. HTTP to LDAP Relay

This attack relays NTLM authentication from an HTTP service to an LDAP service to modify domain objects, such as users or computers.

ntlmrelayx.py -t ldap://<DC-IP>

e. Listening for Inbound Authentication Requests

You can set NTLMRelayX to listen for inbound authentication requests using Responder or by poisoning LLMNR or NBNS traffic. Here’s how to use it with Responder:

  1. Start NTLMRelayX in relay mode:
ntlmrelayx.py -t smb://<TARGET-IP>
  1. Use Responder to poison traffic and force the target to authenticate:
responder -I <interface> -wrf

This will force nearby systems to authenticate to your machine, allowing you to relay those credentials.

4. Relay Exploitation: What Next?

Once you’ve successfully relayed authentication, you can perform further attacks based on the permissions of the relayed user:

  • SMB Relays: Access file shares, execute remote commands using PsExec-like methods.
  • LDAP Relays: Add users, create computer accounts, escalate privileges via resource-based constrained delegation (RBCD).
  • HTTP Relays: Access web applications or services using the relayed NTLM authentication.

5. Mitigations and Best Practices

To defend against NTLM relay attacks, implement the following controls:

  1. Enable SMB and LDAP Signing: Configure servers to require SMB signing and LDAP signing.
  2. Disable NTLM: Disable NTLM authentication where possible, especially on sensitive services.
  3. Enforce SMBv3: Use SMBv3, which has improved security features.
  4. Use TLS for LDAP: Enable LDAP over TLS (LDAPS) to encrypt communication and prevent relay attacks.

6. Example Commands for Real-World Scenarios

  • Relaying to SMB: Gain access to file shares or execute remote commands.
ntlmrelayx.py -t smb://192.168.1.100
  • Relaying to LDAP: Add a computer account to the domain.
ntlmrelayx.py -t ldap://192.168.1.200 --add-computer
  • Relaying to HTTP: Gain access to an HTTP resource with relayed credentials.
ntlmrelayx.py -t http://192.168.1.150

7. Conclusion

NTLMRelayX is an essential tool for penetration testers when performing NTLM relay attacks. By understanding how to relay authentication to various protocols, you can exploit misconfigurations in SMB, LDAP, HTTP, and other services, leading to privilege escalation and further network compromise. However, proper network hardening, including enforcing SMB/LDAP signing and disabling NTLM, can help mitigate these risks.

Impacketsecretsdump.py