RelayKing v1.0

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/depthsecurity/RelayKing-Depth/
• Blog Title: RelayKing v1.0
• Suggested Section: Windows Hardening -> Active Directory Methodology (add/update NTLM Relay / EPA-CBT / LDAP signing guidance) and/or Pentesting Network -> Spoofing LLMNR/NBT-NS/mDNS/WPAD and Relay Attacks (tooling section: RelayKing for identifying relayable targets + coercion surface)

🎯 Content Summary

Title/Project
RelayKing v1.0 (repository: depthsecurity/RelayKing-Depth) is a comprehensive Active Directory NTLM relay detection + enumeration tool designed to identify actionable NTLM relay attack opportunities across common enterprise protocols and produce reports/outputs (including a curated target list) that can be fed into Impacket’s ntlmrelayx.py.

What RelayKing is for (offensive + defensive value)
RelayKing’s goal is ...

🔧 Technical Details

Relay opportunity discovery via protocol hardening checks: Enumerate enterprise services (SMB, HTTP/HTTPS, LDAP/LDAPS, MSSQL, RPC, etc.) and determine whether anti-relay controls are enforced. SMB checks include signing requirements (and are possible without auth per the tool). Web and directory protocols are evaluated for EPA/CBT (channel binding) and signing requirements; the tool notes that reliable HTTPS and LDAPS CBT checks typically require authenticated probing. A service is generally a better relay target when it accepts NTLM while not enforcing these protections.

Build end-to-end relay chains by combining “NTLM capture” with “relayable targets”: Identify coercion primitives (PetitPotam, PrinterBug, DFSCoerce; optionally detectable unauthenticated as described) that can force a victim machine/user to authenticate outward to an attacker-controlled listener. Then relay that inbound NTLM to a destination service previously verified as relayable (e.g., SMB wi...

🤖 Agent Actions

Summary:

• Added a RelayKing section to the NTLM relay tooling page, outlining its relay exposure auditing capabilities (protocol EPA/CBT/signing checks, coercion/reflection detection, relay list generation) with practical usage examples and OPSEC cautions.
• Extended references to include the RelayKing repository and accompanying blog post.

Files Modified:

• src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/depthsecurity/RelayKing-Depth/

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Active Directory Methodology (add/update NTLM Relay / EPA-CBT / LDAP signing guidance) and/or Pentesting Network -> Spoofing LLMNR/NBT-NS/mDNS/WPAD and Relay Attacks (tooling section: RelayKing for identifying relayable targets + coercion surface)".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0