diff --git a/src/windows-hardening/ntlm/README.md b/src/windows-hardening/ntlm/README.md index 8fbfad95d9a..3f782e4baf8 100644 --- a/src/windows-hardening/ntlm/README.md +++ b/src/windows-hardening/ntlm/README.md @@ -243,7 +243,7 @@ Invoke-SMBClient -Domain dollarcorp.moneycorp.local -Username svcadmin -Hash b38 Invoke-SMBEnum -Domain dollarcorp.moneycorp.local -Username svcadmin -Hash b38ff50264b74508085d82c69794a4d8 -Target dcorp-mgmt.dollarcorp.moneycorp.local -verbose ``` -#### Invoke-TheHash +### Invoke-TheHash This function is a **mix of all the others**. You can pass **several hosts**, **exclude** someones and **select** the **option** you want to use (_SMBExec, WMIExec, SMBClient, SMBEnum_). If you select **any** of **SMBExec** and **WMIExec** but you **don't** give any _**Command**_ parameter it will just **check** if you have **enough permissions**. @@ -295,6 +295,27 @@ The PoC can be found in **[https://github.com/eladshamir/Internal-Monologue](htt ../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md {{#endref}} +## Domain-wide NTLM relay surface auditing (RelayKing) + +**RelayKing** maps relay/reflection/coercion paths across an AD forest and builds **ntlmrelayx-ready target lists**. It checks multiple protocols per host and flags edge cases (reflection, NTLMv1, WebClient coercion) that single-protocol scanners miss. + +- **Why signing/EPA stop relays:** signed SMB/LDAP/MSSQL/WinRM actions and EPA/CBT need a session key derived from the victim’s **NT hash**, which the relayer never sees. NTLMv1 lacks MIC/AV pairs (`MsvAvChannelBindings`/`MsvAvFlags`), so signing flags can be stripped and CBT cannot work. +- **Example “best coverage” run:** + ```bash + python3 relayking.py -u 'lowpriv' -p 'lowpriv-password' -d client.domain.local --dc-ip 10.0.0.1 -vv --audit --protocols smb,ldap,ldaps,mssql,http,https --threads 10 -o plaintext,json --output-file relayking-scan --proto-portscan --ntlmv1 --gen-relay-list relaytargets.txt + ``` +- **Workflow highlights:** + - Pulls enabled computer objects (`--audit`), resolves FQDNs, drops non-resolving entries and portscans only default ports for requested protocols (`--proto-portscan`). + - Tests signing/EPA/CBT for SMB/LDAP/LDAPS/MSSQL/HTTP(S)/SMTP/IMAP/RPC/WinRM/WinRMS (IMAP/SMTP lightly tested; WinRMS detection weak). + - HTTP(S): probes common NTLM paths; HTTP is relayable once NTLM is enabled; HTTPS uses differential CBT tests with valid creds. + - RPC: tries `RPC_C_AUTHN_LEVEL_CONNECT/CALL` and can enumerate endpoints when unsigned. + - WinRM: usually non-relayable because sessions must be signed with keys derived from the NT hash; flagged accordingly. + - WebDAV: checks `IPC$` for the `DAV RPC SERVICE` pipe before marking enabled. + - Reflection patching: reads host **UBR** to flag builds vulnerable to **CVE-2025-33073** and checks PrintSpooler for PrinterbugNew coercion. + - NTLMv1 policy: `--ntlmv1` reads GPO; `--ntlmv1-all` queries host `LmCompatibilityLevel` via **RemoteRegistry** (noisy, often needs local admin). + - `--coerce-all` (with `--audit`) launches PetitPotam/DFSCoerce/PrinterBug against every domain-joined host (very noisy). + - Outputs plaintext/JSON/XML/CSV/grep/markdown plus per-path relay lists; prune noisy targets before use. + ## Parse NTLM challenges from a network capture **You can use** [**https://github.com/mlgualtieri/NTLMRawUnHide**](https://github.com/mlgualtieri/NTLMRawUnHide) @@ -345,5 +366,7 @@ krbrelayx.py -t TARGET.DOMAIN.LOCAL -smb2support ## References * [NTLM Reflection is Dead, Long Live NTLM Reflection!](https://www.synacktiv.com/en/publications/la-reflexion-ntlm-est-morte-vive-la-reflexion-ntlm-analyse-approfondie-de-la-cve-2025.html) * [MSRC – CVE-2025-33073](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073) +* [Introducing RelayKing – Relay to Royalty](https://www.depthsecurity.com/blog/introducing-relayking-relay-to-royalty/) +* [RelayKing (Depth Security) GitHub](https://github.com/depthsecurity/RelayKing-Depth) {{#include ../../banners/hacktricks-training.md}}