module
NTLM Relay to Self (HTTP to LDAP) - Post Exploitation
| Disclosed | Created |
|---|---|
| Jan 1, 2001 | Jun 17, 2026 |
Disclosed
Jan 1, 2001
Created
Jun 17, 2026
Description
This module performs an NTLM relay-to-self privilege escalation attack. It starts an HTTP-to-LDAP
relay server on the compromised host, then triggers the WebClient service via an ETW event
(allowing a low-privilege user to start it), and coerces the local machine account to authenticate
via OpenEncryptedFileRaw to the relay listener over WebDAV.
The coerced machine account NTLM authentication is relayed to a Domain Controller's LDAP service,
where the module writes Shadow Credentials (msDS-KeyCredentialLink) to its own AD object and
obtains a Kerberos TGT via PKINIT. The module then performs S4U2Proxy to obtain an impersonating
service ticket for Administrator, enabling psexec back to itself for SYSTEM access.
RUN_GET_TICKET and RUN_PSEXEC are independent toggles. An operator can obtain a ticket without running
psexec, run psexec with a previously obtained ticket, or run both sequentially. RUN_PSEXEC defaults to
false so the module does not automatically attempt lateral movement.
relay server on the compromised host, then triggers the WebClient service via an ETW event
(allowing a low-privilege user to start it), and coerces the local machine account to authenticate
via OpenEncryptedFileRaw to the relay listener over WebDAV.
The coerced machine account NTLM authentication is relayed to a Domain Controller's LDAP service,
where the module writes Shadow Credentials (msDS-KeyCredentialLink) to its own AD object and
obtains a Kerberos TGT via PKINIT. The module then performs S4U2Proxy to obtain an impersonating
service ticket for Administrator, enabling psexec back to itself for SYSTEM access.
RUN_GET_TICKET and RUN_PSEXEC are independent toggles. An operator can obtain a ticket without running
psexec, run psexec with a previously obtained ticket, or run both sequentially. RUN_PSEXEC defaults to
false so the module does not automatically attempt lateral movement.
Author
jheysel-r7
Platform
Windows
Architectures
x64, x86
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.