RelayKing is a comprehensive NTLM & Kerberos relay detection tool built to identify relay attack opportunities in Active Directory environments. It provides extensive protocol detection, coercion vulnerability assessment, and relay path analysis.
relayking/
├── relayking.py # Main entry point
├── setup.py # Installation script
├── requirements.txt # Python dependencies
├── LICENSE # MIT License
├── README.md # Project documentation
├── USAGE.md # Detailed usage guide
├── .gitignore # Git ignore rules
├── targets.txt.example # Example targets file
│
├── core/ # Core functionality
│ ├── __init__.py
│ ├── banner.py # ASCII art banner
│ ├── config.py # Configuration & argument parsing
│ ├── target_parser.py # Target parsing (CIDR, ranges, AD enum)
│ ├── scanner.py # Main scanning orchestration
│ └── relay_analyzer.py # Relay path analysis
│
├── protocols/ # Protocol-specific detectors
│ ├── __init__.py
│ ├── base_detector.py # Base detector class
│ ├── smb_detector.py # SMB/SMB2/SMB3 detection
│ ├── http_detector.py # HTTP/HTTPS detection
│ ├── ldap_detector.py # LDAP/LDAPS detection
│ ├── mssql_detector.py # MSSQL detection
│ └── additional_detectors.py # SMTP/IMAP/WINRM detection
│
├── detectors/ # Specialized detectors
│ ├── __init__.py
│ ├── webdav_detector.py # WebDAV/WebClient detection
│ ├── ntlm_reflection.py # NTLM reflection detection
│ └── coercion.py # Coercion vulnerability detection
│
└── output/ # Output formatters
├── __init__.py
└── formatters.py # Multi-format output support
- ASCII art banner with branding
- Displayed on tool startup
- Command-line argument parsing
- Configuration management
- Validation of user inputs
- Parse targets from various formats:
- Individual IPs/hostnames
- CIDR notation (e.g., 10.0.0.0/24)
- IP ranges (e.g., 10.0.0.1-254)
- Text files
- Active Directory computer enumeration via LDAP
- Target deduplication
- Main orchestration engine
- Multi-threaded scanning
- Protocol detection coordination
- WebDAV detection
- NTLM reflection detection
- Coercion vulnerability detection
- Results aggregation
- Identifies viable relay attack paths
- Prioritizes by impact (critical/high/medium/low)
- Cross-protocol relay detection
- NTLMv1 relay path analysis
- SCCM/ADCS server identification
- Abstract base class for all detectors
- Common interface for protocol detection
- Standardized result format (ProtocolResult dataclass)
- SMB/SMB2/SMB3 version detection
- Signing requirement check
- Channel binding support (SMB 3.1.1+)
- NTLMv1 support detection
- Anonymous/null session testing
- HTTP/HTTPS support
- EPA (Extended Protection) detection
- Channel binding detection (HTTPS)
- NTLM authentication presence
- SSL/TLS information gathering
- LDAP/LDAPS support
- Signing requirement check
- Channel binding detection (LDAPS)
- Domain Controller identification
- Anonymous bind testing
- MSSQL service detection
- EPA enforcement check
- Encryption/channel binding detection
- SMTP detection
- IMAP/IMAPS detection
- WINRM/WINRMS detection
- WebClient service detection
- Uses DAV RPC Service pipe method
- Based on NetExec webdav module logic
- Critical for coercion attack identification
- Identifies NTLM reflection vulnerabilities
- Checks SMB signing status
- Checks HTTP EPA status
- Analyzes reflection attack paths
- PetitPotam (MS-EFSRPC) detection
- PrinterBug (MS-RPRN/SpoolService) detection
- DFSCoerce (MS-DFSNM) detection
- Null authentication coercion support
- Authenticated coercion support
- Relay path integration
- Plaintext: Human-readable format with sections
- JSON: Structured data for programmatic use
- XML: Hierarchical data format
- CSV: Spreadsheet-compatible format
- Grep-able: One-line-per-result for easy filtering
- Markdown: Documentation-ready format with tables
- Uses
concurrent.futures.ThreadPoolExecutor - Configurable thread pool size (default: 10)
- Thread-safe result aggregation
- Graceful exception handling per thread
- Try-catch blocks around all network operations
- Graceful degradation (partial results on errors)
- Detailed error reporting in verbose mode
- Connection timeouts (configurable, default: 5s)
- Impacket: Protocol implementations (SMB, LDAP, MSSQL, RPC)
- Requests: HTTP/HTTPS operations
- dnspython: DNS resolution
- ldap3: LDAP operations (backup option)
- pyasn1: ASN.1 encoding/decoding
- SMB: Uses Impacket's
isSigningRequired()method - LDAP: Heuristic based on anonymous bind + DC detection
- HTTP: N/A (uses EPA instead)
- HTTP/HTTPS: Checks for channel binding requirements
- MSSQL: Attempts connection with/without EPA
- Conservative approach (assumes enabled when uncertain)
- SMB: SMB 3.1.1+ dialect detection
- LDAPS: Assumed enabled for modern servers
- HTTPS: TLS channel binding capability check
- Attempts to open
DAV RPC SERVICEpipe in IPC$ - Based on @tifkin_'s technique
- Works with both authenticated and null sessions
- Connects to specific RPC pipes:
\pipe\efsrpcfor PetitPotam\pipe\spoolssfor PrinterBug\pipe\netdfsfor DFSCoerce
- Works with null auth (PetitPotam, DFSCoerce) or credentials
- Identify Sources: Find protocols without signing/EPA
- Identify Destinations: Find accessible protocols
- Cross-Reference: Match sources to destinations
- Prioritize: Assign impact levels
- Filter: Remove impossible/redundant paths
- Output: Present sorted by priority
Priority calculation:
- LDAP/LDAPS without protections: CRITICAL
- SMB/MSSQL without protections: HIGH
- HTTP/HTTPS without EPA: MEDIUM
- Other protocols: LOW
- Cross-host relay: +1 priority