RelayX

English | 中文 | Français

OPSEC-Aware NTLM Relay Operations Framework by RedteamNotes

RelayX is a Python-first framework for authorized red team assessments. It is inspired by and built with deep respect for Impacket's ntlmrelayx and the broader NTLM relay research community. Its purpose is to extend relay workflows from target discovery and readiness analysis to path prioritization, OPSEC planning, controlled execution, evidence collection, and remediation intelligence.

This initial release is a safe MVP. It performs low-noise readiness assessment, path modeling, target-only validation, source-trigger planning, and controlled execution records. It does not perform credential relay or coercion by default.

Current Capabilities

• Native SMB2 negotiate probe for SMB signing requirements.
• HTTP/HTTPS NTLM challenge-flow checks, including Type2 challenge parsing, AD CS /certsrv, and WinRM hints.
• LDAP/LDAPS rootDSE checks plus SASL NTLM Type1/Type2 challenge-flow evidence without submitting credentials. Explicit synthetic Type3 validation is available with --auth-validation.
• MSSQL TDS prelogin plus Login7 integrated-security SSPI Type1/Type2 challenge-flow evidence. RelayX requests TDS-wrapped TLS by default and records tls-server-end-point CBT evidence when the server completes TLS.
• Conservative response classifiers for HTTP, LDAP/LDAPS, and MSSQL authenticate-validation semantics via the shared relayx_response_classification evidence key.
• Relay candidate modeling with evidence, blockers, OPSEC notes, and fixes.
• P1 source capability modeling for WebClient/WebDAV, Spooler, EFSRPC, DFSNM, FSRVP, MSSQL outbound authentication, ADIDNS, Ghost SPN, and name-resolution inducement.
• Concrete source-to-target path expansion with scope guardrails, route metadata, and OPSEC noise filtering.
• P2 Relay Calculus annotations with rule IDs, target families, preconditions, hardening gates, decisions, and defensive control mappings.
• OPSEC dry-run plans with expected telemetry and rollback notes. Plans can be exported as JSON artifacts.
• P3 lab calibration profiles for HTTP/IIS EPA, AD CS Web Enrollment EPA, LDAP signing, LDAPS CBT, and MSSQL encryption/EPA policy states.
• Calibration commands that subdivide synthetic_auth_rejected into profile-backed states and explain why a finding can or cannot be promoted.
• P4 active validation harness with dry-run, armed, and confirmed modes, scope/noise/timebox guardrails, JSONL audit logs, and optional target-only protocol re-probes.
• P5 source validation planning for WebClient/WebDAV, RPC coercion surfaces, MSSQL outbound authentication, and name-resolution paths, with optional TCP-only reachability checks and explicit forbidden actions.
• P6 controlled execution core with dry-run, armed, and confirmed modes, scope/noise/timebox/readiness guardrails, module registry, JSONL audit logs, and optional result annotation.
• P7 execution module SDK with built-in and JSON manifest-backed module inventory, path-to-module compatibility planning, and a safe relayx_audit_record offline adapter.
• P7 enterprise outputs: BloodHound/OpenGraph-style custom graph export, JSONL/CSV SIEM-friendly exports, scan diffs, remediation impact simulation, bundled profiles, and release packaging metadata.
• CLI commands for scan, summary, sources, paths, calculus, controls, source-check, source-plan, calibrate, compare-baseline, validate, profiles, export, diff, simulate-fixes, modules, module-plan, run, rank, explain, fixes, plan, and report.
• JSON, Markdown, HTML, Mermaid, and CSV outputs.

Quick Start

python3 -m relayx scan --targets examples/targets.txt --out result.json
python3 -m relayx scan --profile enterprise --targets examples/targets.txt --sources examples/sources.csv --scope examples/scope.txt --out result.json
python3 -m relayx scan --targets examples/targets.txt --out result.json --no-challenge-flow
python3 -m relayx scan --targets examples/targets.txt --out result.json --no-mssql-tls
python3 -m relayx scan --targets examples/targets.txt --out result.json --auth-validation
python3 -m relayx scan --targets examples/targets.txt --sources examples/sources.csv --scope examples/scope.txt --max-noise medium --out result.json
python3 -m relayx summary result.json
python3 -m relayx sources result.json
python3 -m relayx source-check --sources examples/sources.csv --max-noise medium
python3 -m relayx source-plan --sources examples/sources.csv --source ws01.lab.local --capability webclient --max-noise medium
python3 -m relayx paths result.json
python3 -m relayx calculus result.json
python3 -m relayx controls result.json
python3 -m relayx calibrate result.json --profiles fixtures/lab_profiles
python3 -m relayx compare-baseline --baseline epa-off.json --candidate epa-required.json --profiles fixtures/lab_profiles
python3 -m relayx plan result.json PX-0001 --format json --out plan.json
python3 -m relayx validate --result result.json --path-id PX-0001 --mode dry-run
python3 -m relayx validate --result result.json --path-id PX-0001 --mode confirmed --confirm --operator redpen --reason "authorized target reprobe" --audit-log audit.jsonl --reprobe
python3 -m relayx profiles
python3 -m relayx export --result result.json --format opengraph --out relayx-opengraph.json
python3 -m relayx export --result result.json --format jsonl --out relayx-events.jsonl
python3 -m relayx diff old-result.json new-result.json --format json --out relayx-diff.json
python3 -m relayx simulate-fixes result.json --control smb_signing --format json
python3 -m relayx modules --manifests fixtures/execution_modules
python3 -m relayx module-plan --result result.json --path-id PX-0001 --module relayx_audit_record
python3 -m relayx run --result result.json --path-id PX-0001 --mode dry-run
python3 -m relayx run --result result.json --path-id PX-0001 --mode confirmed --confirm --operator redpen --reason "authorized execution record" --audit-log audit.jsonl --accept-non-ready
python3 -m relayx run --result result.json --path-id PX-0001 --module relayx_audit_record --mode confirmed --confirm --operator redpen --reason "authorized offline audit record" --audit-log audit.jsonl
python3 -m relayx fixes result.json
python3 -m relayx report result.json --format html --out report.html

CLI

relayx scan       Assess targets and write a RelayX result file
relayx assess     Alias for scan
relayx summary    Summarize findings and candidate paths
relayx matrix     Show relay readiness matrix by host and protocol
relayx sources    Show source assets and modeled capabilities
relayx source-check
                  Check modeled source capabilities without executing triggers
relayx source-plan
                  Create a single-source source-trigger validation plan
relayx paths      List relay candidate paths
relayx calculus   Show RelayX rule decisions and hardening gates
relayx controls   Show defensive control priorities from RelayX calculus
relayx calibrate  Apply lab calibration profiles to a RelayX result
relayx compare-baseline
                  Compare baseline and candidate lab result signatures
relayx validate   Run the P4 active validation harness
relayx profiles   List bundled RelayX profiles
relayx export     Export enterprise-friendly RelayX artifacts
relayx diff       Compare two RelayX result files
relayx simulate-fixes
                  Simulate remediation impact on RelayX paths
relayx modules    List P7 execution module manifests
relayx module-plan
                  Evaluate P7 execution modules for one path
relayx run        Run the P6/P7 controlled execution core
relayx rank       Rank paths by impact, confidence, and OPSEC cost
relayx explain    Explain one host or one path
relayx plan       Create an OPSEC-aware dry-run plan for one path
relayx fixes      Show remediation priorities
relayx report     Export JSON, Markdown, HTML, Mermaid, or CSV

Design Principles

• OPSEC-first: default mode is low-noise readiness assessment.
• No credential submission by default: challenge-flow probes stop at Type2 evidence and do not send NTLM authenticate messages.
• Explicit authenticate validation: --auth-validation sends synthetic NTLM Type3 messages with random placeholder credentials for HTTP, MSSQL, and LDAP/LDAPS where supported. It is useful for observing server-side rejection semantics, but it can create failed logon telemetry and is off by default.
• CBT evidence, not overclaiming: TLS certificate hashes are collected as tls-server-end-point evidence where available, but EPA/CBT enforcement is not promoted beyond conservative response classification without lab calibration.
• Evidence-driven: every conclusion should carry evidence, confidence, and caveats.
• Path-oriented: RelayX models source -> transport -> target -> impact -> blockers -> fixes.
• Source-aware: P1 can combine operator-supplied source capability profiles with target readiness evidence while keeping active coercion out of scope.
• Scoped by design: optional scope guardrails can filter targets and source profiles before path construction.
• Calculus before execution: P2 turns evidence into rule decisions, preconditions, expected telemetry, rollback notes, and control mappings while still refusing to execute relay or coercion.
• Calibration before claims: P3 can promote conservative classifier output only when a lab profile and baseline difference support that promotion.
• Validation before execution: P4 can audit and optionally re-probe a target service, but it never triggers source-side coercion or credential relay.
• Source planning without triggering: P5 models source-side capabilities and can perform TCP-only reachability checks, but it does not issue WebDAV, RPC, SQL, DNS, SPN, or relay actions.
• Controlled execution core before live modules: P6 provides the audited state machine, readiness gates, and evidence annotation for execution. Live relay modules are deliberately unavailable by default and must be registered, lab-validated, scoped, and confirmed before use.
• Module contracts before protocol adapters: P7 makes execution modules explicit manifests with target-family, source-capability, mode, artifact, and forbidden-action contracts. The built-in supported adapter is offline audit recording only; live relay remains unavailable by default.
• Enterprise output is source-backed: graph, SIEM, diff, and remediation simulation outputs are derived from the same evidence-rich ScanResult model instead of being separate reporting scripts.
• Respect the ecosystem: RelayX stands on the shoulders of existing public research and tooling.
• Red/Blue readable: output should be useful to operators, defenders, and report readers.

Acknowledgements

RelayX is informed by the work of the NTLM relay research and tooling community, especially:

• Fortra Impacket and ntlmrelayx
• NetExec
• LdapRelayScan
• RelayInformer
• RelayKing
• Coercer
• WebRelayX
• Microsoft documentation on SMB signing, LDAP signing/channel binding, IIS Extended Protection for Authentication, AD CS relay mitigations, and NTLM hardening
• Microsoft Open Specifications for TDS (MS-TDS)

RelayX does not vendor code from GPL projects. Protocol and detection ideas are credited here and should be treated with respect.

Safety Boundary

RelayX is intended for systems you own or are explicitly authorized to assess. The MVP focuses on readiness analysis and reporting. Future active validation or live relay execution should remain explicit, scoped, logged, and off by default. The P6/P7 run command records controlled execution decisions and can execute the offline audit adapter, but the core does not capture or forward credentials.