Skip to main content
RelayKing is invoked as: 
python3 relayking.py [args]
Arguments are organized into five groups: Authentication, Targets, Detection options, Output options, and Performance.

Argument groups

Authentication

Username, password, domain, NTLM hashes, Kerberos, and DC/DNS settings.

Targets

IP addresses, CIDR ranges, target files, audit mode, and session resume.

Detection options

Protocol selection, port scanning, NTLMv1, coercion checks, and null auth.

Output options

Output formats, file naming, relay list generation, and verbosity.

Performance

Thread count, timeouts, scan grouping, and LDAP page size.

Full help output

python3 relayking.py -h

usage: relayking.py [-h] [-u USERNAME] [-p PASSWORD] [-d DOMAIN]
                    [--hashes LMHASH:NTHASH] [--aesKey AESKEY] [-k]
                    [--krb-dc-only] [--no-pass] [--dc-ip DC_IP]
                    [-ns NAMESERVER] [--dns-tcp] [--ldap] [--ldaps]
                    [-t TARGET_FILE] [--audit] [--no-ping]
                    [--session-resume FILE]
                    [--protocols PROTOCOLS] [--proto-portscan] [--ntlmv1]
                    [--ntlmv1-all] [--coerce] [--coerce-all]
                    [--coerce-target COERCE_TARGET]
                    [--coerce-timeout COERCE_TIMEOUT] [--null-auth]
                    [--no-ghosts]
                    [-o OUTPUT_FORMAT] [--output-file OUTPUT_FILE]
                    [--gen-relay-list GEN_RELAY_LIST] [-v]
                    [--threads THREADS] [--timeout TIMEOUT]
                    [--max-scangroup MAX_SCANGROUP] [--split-into SPLIT_INTO]
                    [--skip SKIP] [--ad-page-size AD_PAGE_SIZE]
                    [target ...]

RelayKing - NTLM & Kerberos Relay Detection Tool

Quick reference

Authentication

FlagTypeDefaultDescription
-u / --usernamestringUsername for authentication
-p / --passwordstringPassword for authentication
-d / --domainstringDomain name
--hashes LMHASH:NTHASHstringNTLM hashes (LM:NT)
--aesKeystringAES key for Kerberos
-k / --kerberosbooleanfalseUse Kerberos authentication
--krb-dc-onlybooleanfalseKerberos for DCs only, NTLM elsewhere
--no-passbooleanfalseSkip password prompt (use with -k)
--dc-ipstringDomain Controller IP
-ns / --nameserverstringCustom DNS server
--dns-tcpbooleanfalseUse TCP for DNS resolution
--ldapbooleanfalseForce LDAP
--ldapsbooleanfalseForce LDAPS

Targets

FlagTypeDefaultDescription
targetstring[]IP, hostname, CIDR, or range (positional)
-t / --target-filestringFile with targets (one per line)
--auditbooleanfalseEnumerate all AD computers via LDAP
--no-pingbooleanfalseSkip ping sweep (use with SOCKS proxies)
--session-resume FILEstringResume from a .resume session file

Detection options

FlagTypeDefaultDescription
--protocolsstringComma-separated protocol list
--proto-portscanbooleanfalseFast port scan before protocol checks
--ntlmv1booleanfalseCheck GPO for domain-wide NTLMv1 policy
--ntlmv1-allbooleanfalsePer-host registry check (requires admin)
--coercebooleanfalseCheck for coercion vulnerabilities
--coerce-allbooleanfalseCoerce all AD computers (extremely heavy)
--coerce-targetstringListener IP for coercion
--coerce-timeoutinteger3Coercion check timeout in seconds
--null-authbooleanfalseAttempt null/anonymous authentication
--no-ghostsbooleanfalseSkip Ghost SPN check

Output options

FlagTypeDefaultDescription
-o / --output-formatstringplaintextComma-separated format list
--output-filestringBase filename (extensions added automatically)
--gen-relay-liststringNTLMRelayX target list output file
-v / -vv / -vvvcount0Verbosity level

Performance

FlagTypeDefaultDescription
--threadsinteger10Thread count
--timeoutinteger5Connection timeout in seconds
--max-scangroupinteger0 (all)Max hosts per scan group
--split-intointeger1Split hosts into N groups
--skipinteger0Skip first N groups
--ad-page-sizeinteger500LDAP paged query size

Build docs developers (and LLMs) love

Get started for freeTalk to us