Introducing RelayKing – Relay to Royalty

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.depthsecurity.com/blog/introducing-relayking-relay-to-royalty/
• Blog Title: Introducing RelayKing – Relay to Royalty
• Suggested Section: Windows Hardening -> Active Directory Methodology (or a dedicated subsection under NTLM/Relay: add a page on 'NTLM Relay Surface Mapping & Auditing (RelayKing)' and cross-link from NTLM + 'Force NTLM Privileged Authentication')

🎯 Content Summary

What the post is about
The post introduces RelayKing, a Python tool to inventory, categorize, and report NTLM relay/reflection/coercion paths across an Active Directory (AD) environment, with an emphasis on solving the detection + reporting gap rather than replacing exploitation frameworks like Impacket’s ntlmrelayx.py, Responder, or mitm6.

Tool + links (as provided)
- RelayKing (Depth Security): https://github.com/depthsec...

🔧 Technical Details

Trick 1 — Domain-wide relay surface mapping (AD → DNS → port presence → per-protocol enforcement checks): Enumerate all enabled AD computer objects and FQDNs, then drop non-resolving hosts via fast multi-threaded DNS checks. Optionally port-scan only the default ports for selected protocols (e.g., 80/443/445/389/636/1433) so the scanner tests only live/listening services. For each confirmed service, determine relay viability by testing signing requirements (e.g., SMB/LDAP) and EPA/CBT requirements on TLS services (e.g., HTTPS/LDAPS). Export results in machine-readable formats and generate an ntlmrelayx-ready relay target list that includes correct URI schemes and (for HTTP/HTTPS) the discovered vulnerable URL paths.

Trick 2 — Correct mental model for why signing blocks relays: Protocol signing relies on a session key derived from the authenticated principal’s NT hash. In NTLM relay you only forward Net-NTLMv1/v2 challenge-response, not the NT hash, ...

🤖 Agent Actions

Summary:

• Added a detailed “RelayKing” section to the NTLM page covering domain-wide relay surface auditing, correct relay-blocking logic for signing/EPA, NTLMv1 caveats, and operational workflow/output generation.
• Documented per-protocol checks (HTTP/HTTPS CBT testing, SMB/LDAP/MSSQL/RPC/WinRM, WebDAV detection), reflection patch/UBR checks, NTLMv1 policy enumeration, and noisy mass-coercion options.
• Updated references with the RelayKing blog and repository links.

Tests:

• Not run (not applicable).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.depthsecurity.com/blog/introducing-relayking-relay-to-royalty/

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Active Directory Methodology (or a dedicated subsection under NTLM/Relay: add a page on 'NTLM Relay Surface Mapping & Auditing (RelayKing)' and cross-link from NTLM + 'Force NTLM Privileged Authentication')".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0