Rapid7’s 2026 Global Cybersecurity Summit is now available on-demand.Watch sessions.
Rapid7

module

NTLM Relay to Self (HTTP to LDAP) - Post Exploitation

Disclosed
Jan 1, 2001
Created
Jun 17, 2026

Description

This module performs an NTLM relay-to-self privilege escalation attack. It starts an HTTP-to-LDAP
relay server on the compromised host, then triggers the WebClient service via an ETW event
(allowing a low-privilege user to start it), and coerces the local machine account to authenticate
via OpenEncryptedFileRaw to the relay listener over WebDAV.

The coerced machine account NTLM authentication is relayed to a Domain Controller's LDAP service,
where the module writes Shadow Credentials (msDS-KeyCredentialLink) to its own AD object and
obtains a Kerberos TGT via PKINIT. The module then performs S4U2Proxy to obtain an impersonating
service ticket for Administrator, enabling psexec back to itself for SYSTEM access.

RUN_GET_TICKET and RUN_PSEXEC are independent toggles. An operator can obtain a ticket without running
psexec, run psexec with a previously obtained ticket, or run both sequentially. RUN_PSEXEC defaults to
false so the module does not automatically attempt lateral movement.

Author

jheysel-r7

Platform

Windows

Architectures

x64, x86

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


msf > use exploit/windows/local/ntlm_relay_2_self
msf exploit(ntlm_relay_2_self) > show targets
...targets...
msf exploit(ntlm_relay_2_self) > set TARGET < target-id >
msf exploit(ntlm_relay_2_self) > show options
...show and set options...
msf exploit(ntlm_relay_2_self) > exploit

Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.