From 5bcf6bfb5dcbda6191df39ce1386fb7e9497668c Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 30 Jan 2026 18:47:21 +0000 Subject: [PATCH] Add content from: RelayKing v1.0 --- ...-ns-mdns-dns-and-wpad-and-relay-attacks.md | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md b/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md index 894185bdc73..5e80c06bc25 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md +++ b/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md @@ -126,6 +126,28 @@ python MultiRelay.py -t -u ALL -d # Dump hashes # Proxychains for routing traffic ``` +### RelayKing – relayable target discovery and curated relay lists + +RelayKing is an NTLM relay **exposure auditor** that maps where relays are viable and produces ready-to-use target lists for `ntlmrelayx.py -tf`. It checks protocol hardening (SMB signing/channel binding; HTTP/HTTPS/MSSQL/LDAP/LDAPS EPA/CBT; RPC auth) and flags **coercion/reflection helpers** (PetitPotam/PrinterBug/DFSCoerce, WebClient/WebDAV, NTLMv1, CVE-2025-33073 reflection). + +- Auth improves reliability for HTTPS/LDAPS CBT and MSSQL EPA checks; SMB signing/signature level is probed unauthenticated. +- Cross-protocol relay pathing leverages confirmed Net-NTLMv1 (`--ntlmv1`/`--ntlmv1-all`) findings; severity ranking is provided per path. +- `--gen-relay-list ` writes a grep-friendly target list for `ntlmrelayx.py -tf ` to avoid trial-and-error. +- `--coerce-all` mass-triggers PetitPotam/DFSCoerce/PrinterBug against all targets; `--ntlmv1-all` (RemoteRegistry) and `--audit` (domain-wide LDAP host pull) are **noisy** and generate many logons/remote accesses. +- `--proto-portscan` speeds scanning by skipping closed ports; `--krb-dc-only` helps when DCs block NTLM but other services still accept it. + +Example sweeps: + +```bash +# Authenticated audit across multiple protocols + generate relay list for ntlmrelayx +python3 relayking.py -u lowpriv -p 'P@ssw0rd!' -d lab.local --dc-ip 10.0.0.10 \ + --audit --protocols smb,ldap,ldaps,mssql,http,https --proto-portscan --ntlmv1 \ + --threads 10 -vv -o plaintext,json --output-file relayking-scan --gen-relay-list relaytargets.txt + +# Unauthenticated CIDR sweep for SMB/LDAP/HTTP relayability +python3 relayking.py --null-auth --protocols smb,ldap,http --proto-portscan -o plaintext 10.10.0.0/24 +``` + These tools and techniques form a comprehensive set for conducting NTLM Relay attacks in various network environments. ### Abusing WSUS HTTP (8530) for NTLM Relay to LDAP/SMB/AD CS (ESC8) @@ -315,7 +337,6 @@ You now own **NT AUTHORITY\SYSTEM**. - [https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/) - [https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/) - [https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/](https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/) -- [https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/) - [https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html) - [WSUS Is SUS: NTLM Relay Attacks in Plain Sight (TrustedSec)](https://trustedsec.com/blog/wsus-is-sus-ntlm-relay-attacks-in-plain-sight) - [GoSecure – Abusing WSUS to enable NTLM relaying attacks](https://gosecure.ai/blog/2021/11/22/gosecure-investigates-abusing-windows-server-update-services-wsus-to-enable-ntlm-relaying-attacks) @@ -325,6 +346,8 @@ You now own **NT AUTHORITY\SYSTEM**. - [WSUScripts – wsuspider.sh](https://github.com/Coontzy1/WSUScripts/blob/main/wsuspider.sh) - [MS-WSUSOD – Windows Server Update Services: Server-to-Client Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wsusod/e00a5e81-c600-40d9-96b5-9cab78364416) - [Microsoft – WSUS deprecation announcement](https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-server-update-services-wsus-deprecation/4250436) +- [RelayKing v1.0](https://github.com/depthsecurity/RelayKing-Depth) +- [Depth Security – Introducing RelayKing: Relay to Royalty](https://www.depthsecurity.com/blog/introducing-relayking-relay-to-royalty/) {{#include ../../banners/hacktricks-training.md}}