Fancy NTLM Relay
Advanced NTLM relay attack toolkit for testing authentication security in Windows environments.
git clone https://github.com/MHaggis/notes.git && cd notes/utilities/FancyNTLMRelay ⚠ The Problem
NTLM relay attacks remain a significant threat in Windows environments, but testing defenses against these attacks requires understanding multiple coercion methods and relay techniques. Existing tools often focus on single attack vectors.
✓ The Solution
Fancy NTLM Relay provides a comprehensive toolkit for testing NTLM relay defenses, including multiple coercion methods (PetitPotam, PrinterBug, DFSCoerce), various relay targets (LDAP, SMB, HTTP), and automated exploitation chains.
⚡ Impact
Helps red teams validate NTLM relay defenses and assists blue teams in understanding attack patterns for better detection and prevention strategies.
Attack Vectors
Coercion Methods
- PetitPotam - EFS RPC coercion
- PrinterBug - Print Spooler coercion
- DFSCoerce - DFS RPC coercion
- ShadowCoerce - Shadow Copy coercion
Relay Targets
- LDAP/LDAPS - Domain controller attacks
- SMB - File share access
- HTTP/HTTPS - Web application attacks
- AD CS - Certificate services exploitation
Features
Automated Exploitation
- Chain multiple attack stages
- Automatic target discovery
- Credential relay and reuse
- Post-exploitation actions
Detection Evasion
- Randomized timing
- Multiple authentication paths
- Proxy support
- Custom user agents
Comprehensive Logging
- Detailed attack logs
- Captured credentials
- Success/failure tracking
- Timeline reconstruction
Use Cases
Red Team Operations
Test NTLM relay defenses during engagements.
Security Assessments
Validate authentication security controls.
Detection Development
Generate attack traffic for detection rule testing.
Training & Education
Demonstrate NTLM relay attacks in controlled environments.
Mitigations Tested
The tool helps validate:
- SMB signing enforcement
- LDAP signing and channel binding
- EPA (Extended Protection for Authentication)
- Network segmentation
- Credential Guard
Responsible Use
This tool is for authorized security testing only. Always obtain proper authorization before testing NTLM relay attacks.
Test your NTLM defenses
Related Modules
AppLockerGen
AppLocker Policy Generator. Create and manage AppLocker policies programmatically.
ASRGEN
ASR Configurator, Essentials and Atomic Testing. Configure and test Attack Surface Reduction rules.
LOLDrivers
Living Off The Land Drivers - A curated list of Windows drivers used by adversaries to bypass security controls. The definitive resource for vulnerable driver detection.