RelayKing v1.0

src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md

@@ -126,6 +126,28 @@ python MultiRelay.py -t <IP target> -u ALL -d # Dump hashes
 # Proxychains for routing traffic
 ```
 
+### RelayKing – relayable target discovery and curated relay lists
+
+RelayKing is an NTLM relay **exposure auditor** that maps where relays are viable and produces ready-to-use target lists for `ntlmrelayx.py -tf`. It checks protocol hardening (SMB signing/channel binding; HTTP/HTTPS/MSSQL/LDAP/LDAPS EPA/CBT; RPC auth) and flags **coercion/reflection helpers** (PetitPotam/PrinterBug/DFSCoerce, WebClient/WebDAV, NTLMv1, CVE-2025-33073 reflection).
+
+- Auth improves reliability for HTTPS/LDAPS CBT and MSSQL EPA checks; SMB signing/signature level is probed unauthenticated.
+- Cross-protocol relay pathing leverages confirmed Net-NTLMv1 (`--ntlmv1`/`--ntlmv1-all`) findings; severity ranking is provided per path.
+- `--gen-relay-list <file>` writes a grep-friendly target list for `ntlmrelayx.py -tf <file>` to avoid trial-and-error.
+- `--coerce-all` mass-triggers PetitPotam/DFSCoerce/PrinterBug against all targets; `--ntlmv1-all` (RemoteRegistry) and `--audit` (domain-wide LDAP host pull) are **noisy** and generate many logons/remote accesses.
+- `--proto-portscan` speeds scanning by skipping closed ports; `--krb-dc-only` helps when DCs block NTLM but other services still accept it.
+
+Example sweeps:
+
+```bash
+# Authenticated audit across multiple protocols + generate relay list for ntlmrelayx
+python3 relayking.py -u lowpriv -p 'P@ssw0rd!' -d lab.local --dc-ip 10.0.0.10 \
+  --audit --protocols smb,ldap,ldaps,mssql,http,https --proto-portscan --ntlmv1 \
+  --threads 10 -vv -o plaintext,json --output-file relayking-scan --gen-relay-list relaytargets.txt
+
+# Unauthenticated CIDR sweep for SMB/LDAP/HTTP relayability
+python3 relayking.py --null-auth --protocols smb,ldap,http --proto-portscan -o plaintext 10.10.0.0/24
+```
+
 These tools and techniques form a comprehensive set for conducting NTLM Relay attacks in various network environments.
 
 ### Abusing WSUS HTTP (8530) for NTLM Relay to LDAP/SMB/AD CS (ESC8)
@@ -315,7 +337,6 @@ You now own **NT AUTHORITY\SYSTEM**.
 - [https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)
 - [https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/)
 - [https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/](https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/)
-- [https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)
 - [https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
 - [WSUS Is SUS: NTLM Relay Attacks in Plain Sight (TrustedSec)](https://trustedsec.com/blog/wsus-is-sus-ntlm-relay-attacks-in-plain-sight)
 - [GoSecure – Abusing WSUS to enable NTLM relaying attacks](https://gosecure.ai/blog/2021/11/22/gosecure-investigates-abusing-windows-server-update-services-wsus-to-enable-ntlm-relaying-attacks)
@@ -325,6 +346,8 @@ You now own **NT AUTHORITY\SYSTEM**.
 - [WSUScripts – wsuspider.sh](https://github.com/Coontzy1/WSUScripts/blob/main/wsuspider.sh)
 - [MS-WSUSOD – Windows Server Update Services: Server-to-Client Protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wsusod/e00a5e81-c600-40d9-96b5-9cab78364416)
 - [Microsoft – WSUS deprecation announcement](https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-server-update-services-wsus-deprecation/4250436)
+- [RelayKing v1.0](https://github.com/depthsecurity/RelayKing-Depth)
+- [Depth Security – Introducing RelayKing: Relay to Royalty](https://www.depthsecurity.com/blog/introducing-relayking-relay-to-royalty/)
 
 {{#include ../../banners/hacktricks-training.md}}