Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/depthsecurity/RelayKing-Depth/llms.txt

Use this file to discover all available pages before exploring further.

After each scan group completes, RelayKing automatically runs relay path analysis across all collected results. No additional flags are required — the analyzer runs as part of every scan.

How paths are identified

The analysis follows a six-step algorithm:
  1. Identify sources — Protocols without signing or Extended Protection for Authentication (EPA) enforcement are candidates for coerced or captured authentication.
  2. Identify destinations — Protocols that are accessible and relayable on each host become potential relay destinations.
  3. Cross-reference — Sources are matched to viable destinations to form candidate paths.
  4. Prioritize — Each path is assigned an impact level based on the destination protocol and host role.
  5. Filter — Impossible or redundant paths are removed (e.g., non-Windows hosts are skipped; cross-protocol SMB paths are omitted unless NTLMv1 is confirmed).
  6. Output — Paths are sorted by priority and presented in the report.

Severity levels

CRITICAL

  • Relay to LDAP or LDAPS without signing/channel binding protections — enables computer account creation, ACL modification, RBCD abuse, and domain compromise.
  • Relay to HTTP/HTTPS on an ADCS server (/certsrv/) or confirmed tier-0 asset — certificate enrollment abuse (ESC8) leading to domain compromise.
  • CVE-2025-54918 on an unpatched Server 2025 DC with PrintSpooler enabled — RPC coercion → LDAPS reflection bypassing channel binding.
  • NTLMv1 cross-protocol relay to LDAP or LDAPS — NTLMv1 lacks MIC support, enabling relay with --remove-mic even when signing is enforced.

HIGH

  • Relay to SMB without signing — file system access, potential code execution via services.
  • Relay to MSSQL without EPA — database access, potential code execution via xp_cmdshell.
  • CVE-2019-1040 (Drop the MIC) — unpatched host allows MIC stripping for SMB-to-LDAP/LDAPS cross-protocol relay using ntlmrelayx --remove-mic. Reported as HIGH.
  • WebClient service enabled — the host can be coerced to authenticate to an attacker-controlled WebDAV share.

MEDIUM

  • Relay to HTTP/HTTPS without EPA on a non-tier-0 host — application access with no channel binding protection.
  • CVE-2025-54918 on any unpatched Server 2025 host (non-DC, or DC without confirmed PrintSpooler) — vulnerable to NTLM reflection.
  • Ghost SPN paths — SPN registered to an account whose hostname has no DNS record; registering the missing name intercepts NTLM authentication.

LOW

  • Other protocols (SMTP, IMAP, WinRM, RPC) that are accessible but have limited relay impact in typical scenarios.

High-value target escalation

Relay paths targeting ADCS servers (detected via /certsrv/ HTTP endpoint) or tier-0 assets (SCCM, Exchange, confirmed ADCS via LDAP) are escalated to CRITICAL regardless of the underlying protocol severity. RelayKing identifies these assets automatically via LDAP enumeration during --audit mode and via HTTP /certsrv/ endpoint detection during HTTP scanning.

Tier-0 asset detection

RelayKing automatically identifies ADCS, SCCM, and Exchange servers and escalates HTTP/HTTPS relay paths against them to CRITICAL severity (ESC8 certificate enrollment abuse or application-level domain compromise).

Detection methods

Asset typeHow detected
ADCS (Certificate Authority)LDAP query for pKIEnrollmentService objects in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,...; also detected via HTTP GET /certsrv/ returning 401 with NTLM or Negotiate in WWW-Authenticate
SCCMLDAP query for mssmssite objects; hostname heuristics (sccm, mecm, configmgr)
ExchangeLDAP query for members of the Exchange Trusted Subsystem group
Tier-0 assets detected via LDAP are stored in the session file and automatically used when scoring relay paths. The hostname-based heuristics are a fallback — LDAP-detected assets are more accurate. Note that ca is intentionally excluded from hostname heuristics because it matches too many non-ADCS hosts (e.g., Exchange CAS servers).

Impact

Any relayable HTTP or HTTPS service on a tier-0 asset receives CRITICAL severity, regardless of EPA enforcement status, because the relay target has outsized impact:
  • ADCS — Certificate enrollment abuse (ESC8) can issue a certificate for any domain account, enabling full domain compromise.
  • SCCM — Relay to SCCM management points allows device enrollment, script execution, and lateral movement.

CVE-specific paths

CVE-2025-54918

RelayKing checks the Update Build Revision (UBR) read from each host’s registry during scanning. Windows Server 2025 hosts with build 26100 and UBR below 6584 are flagged as unpatched.
  • Any unpatched Server 2025 host → MEDIUM
  • Unpatched Server 2025 DC with PrintSpooler enabled → CRITICAL (RPC coercion → LDAPS reflection)

CVE-2019-1040 (Drop the MIC)

Hosts below the June 2019 patch threshold are flagged HIGH. The MIC field can be stripped from NTLM messages, enabling cross-protocol relay from SMB to LDAP or LDAPS. Use ntlmrelayx --remove-mic to exploit this path.

NTLM reflection paths

CVE-2025-33073 covers hosts where SMB authentication can be relayed back to other services on the same host. When detected, RelayKing reports the specific protocols involved (e.g., SMB → LDAP/HTTPS) as a HIGH severity path.

Cross-protocol SMB relay paths

Cross-protocol SMB relay paths (SMB → LDAP) are only shown when --ntlmv1 or --ntlmv1-all is used and NTLMv1 usage is actually confirmed. NTLMv2 includes a Message Integrity Code (MIC) that prevents cross-protocol relay. Without confirmed NTLMv1, these paths are not generated.
When NTLMv1 is enabled (LmCompatibilityLevel ≤ 2), the MIC is not computed, making cross-protocol relay possible:
  • SMB → LDAP with --remove-mic — can create computer accounts, modify ACLs.
  • SMB → LDAPS with --remove-mic — same impact, encrypted channel.

Ghost SPN paths

Ghost SPN findings are injected as MEDIUM severity paths. Up to five findings are shown in the main report; the full list is written to possible-ghost-spns.txt. Each path identifies the SPN, the account it is registered to, and the missing hostname that an attacker could register.

Severity logic

The severity rating logic is a work in progress. Not all scenarios and protocol combinations are accounted for. The goal is to cover all known relay primitives — contributions and pull requests for edge cases are welcome.