At least one of the following must be provided: a positional target, --target-file, --audit, --coerce-all, or --session-resume.
A targets.txt.example file is included in the repository showing the supported line formats.
Flags
One or more positional target arguments. Accepted formats:
- Single IP:
10.0.0.5
- Hostname or FQDN:
dc01.corp.example.local
- CIDR notation:
10.0.0.0/24
- Hyphenated IP range:
10.0.0.1-10.0.0.50
Multiple values can be specified. When supplying a single target, place it at the end of the argument list. Path to a file containing targets, one per line. Supports the same formats as the positional target argument (IPs, hostnames, CIDRs, ranges). Blank lines and lines beginning with # are ignored.
Audit mode: enumerate all computer accounts from Active Directory via LDAP and scan them. Requires low-privilege AD credentials (-u, -p, -d) and a reachable DC (--dc-ip). Default protocols when --audit is active are smb, ldap, ldaps, and mssql; adding http,https enables tier-0 HTTP relay path analysis.--audit cannot be combined with --coerce-all.
Skip the ICMP ping sweep that RelayKing uses to filter live hosts from CIDR ranges before scanning. Use this when running through a SOCKS proxy, where ICMP is typically unsupported.
Path to a .resume session file generated by a previous --audit scan. Resuming skips AD enumeration, DNS resolution, and port scanning for work that was already completed, and continues from where the interrupted scan left off.The file must exist; RelayKing exits with an error if the path is not found.
Targeting modes
Single host
CIDR range
IP range
Target file
Audit mode
Session resume
Scan a single IP address or hostname:python3 relayking.py -u lowpriv -p 'Summer2024!' -d corp.example.local \
--dc-ip 10.0.0.1 --protocols smb,ldap 10.0.0.5
python3 relayking.py -u lowpriv -p 'Summer2024!' -d corp.example.local \
--dc-ip 10.0.0.1 --protocols smb,ldap dc01.corp.example.local
Scan an entire subnet. RelayKing pings hosts first to find live targets:python3 relayking.py -u lowpriv -p 'Summer2024!' -d corp.example.local \
--dc-ip 10.0.0.1 --protocols smb,ldap 10.0.0.0/24
proxychains python3 relayking.py -u lowpriv -p 'Summer2024!' -d corp.example.local \
--dc-ip 10.0.0.1 --no-ping --protocols smb,ldap 10.0.0.0/24
Scan a hyphenated range:python3 relayking.py -u lowpriv -p 'Summer2024!' -d corp.example.local \
--dc-ip 10.0.0.1 --protocols smb,ldap 10.0.0.1-10.0.0.50
Load targets from a file (IPs, hostnames, CIDRs, or ranges — one per line):python3 relayking.py -u lowpriv -p 'Summer2024!' -d corp.example.local \
--dc-ip 10.0.0.1 --protocols smb,ldap -t targets.txt
targets.txt:10.0.0.5
10.0.0.10-10.0.0.20
10.0.1.0/24
dc01.corp.example.local
Enumerate all AD computers and scan them automatically:python3 relayking.py -u lowpriv -p 'Summer2024!' -d corp.example.local \
--dc-ip 10.0.0.1 --audit --protocols smb,ldap,ldaps,mssql,http,https \
--proto-portscan --threads 10 -vv -o plaintext,json --output-file relayking-scan
Resume an interrupted audit scan:python3 relayking.py -u lowpriv -p 'Summer2024!' -d corp.example.local \
--dc-ip 10.0.0.1 --session-resume relayking-20240601.resume
