-
Notifications
You must be signed in to change notification settings - Fork 31
pkg relay
Jacob Paullus edited this page Apr 17, 2026
·
1 revision
Complete NTLM relay framework with pluggable capture servers, relay clients, and attack modules. This is the engine behind ntlmrelayx.
Capture Servers -> Relay Engine -> Relay Clients -> Attack Modules
(SMB, HTTP, ...) (routing) (SMB, LDAP, ...) (secretsdump, ...)
| Server | Description |
|---|---|
| SMB | Rogue SMB server capturing NTLM auth |
| HTTP/HTTPS | HTTP Negotiate/NTLM capture |
| WCF | Active Directory Web Services capture |
| RAW | Raw TCP NTLM capture |
| RPC | DCE/RPC NTLM capture |
| WinRM | WinRM NTLM capture |
| Client | Description |
|---|---|
| SMB | Relay to SMB targets |
| LDAP/LDAPS | Relay to LDAP (with TLS support) |
| HTTP/HTTPS | Relay to HTTP endpoints |
| MSSQL | Relay to SQL Server |
| WinRM | Relay to WinRM |
| RPC | Relay to DCE/RPC |
| Attack | Description |
|---|---|
shares |
Enumerate SMB shares |
smbexec |
Command execution via service creation |
samdump |
SAM hash extraction |
secretsdump |
Full NTDS.DIT extraction (DCSync) |
tschexec |
Execution via Task Scheduler |
ldapdump |
LDAP dump |
delegate |
RBCD manipulation |
aclabuse |
ACL modification |
addcomputer |
Machine account creation |
shadowcreds |
Shadow credentials attack |
laps |
LAPS password dumping |
gmsa |
gMSA password dumping |
adddns |
DNS record manipulation |
mssqlquery |
SQL query execution |
adcs |
ADCS certificate request (ESC8) |
winrmexec |
WinRM command execution |
| File | Description |
|---|---|
config.go |
Relay configuration (targets, attacks, servers) |
attack.go |
Attack module registry |
client.go |
Relay client abstractions |
server.go |
Relay capture server abstractions |
console.go |
Interactive relay console |
api_server.go |
REST API for relay orchestration |