--audit flag is the fastest way to get full-domain NTLM relay coverage. RelayKing connects to Active Directory over LDAP, pulls every enabled computer account, resolves them in DNS, and feeds the resulting host list directly into the scanner — no manual target enumeration required.
Requirements
Audit mode requires:-u/--username— any low-privilege domain account-p/--password— the account’s password (or use--hashesfor pass-the-hash)-d/--domain— the fully-qualified domain name (e.g.,corp.local)--dc-ip— strongly recommended; the IP address of a domain controller
--dc-ip, RelayKing attempts to resolve the domain name itself using the system’s configured DNS server. If that DNS server cannot resolve domain computer FQDNs, AD enumeration will fail or return no targets.
Fixing DNS resolution problems
If RelayKing resolves no hosts after AD enumeration, DNS is the most likely cause. Two options:- Use
--dc-ip— RelayKing contacts the DC directly for LDAP and uses the DC’s IP as the authoritative DNS server for hostname resolution. - Edit
/etc/resolv.conf— Point your system’s DNS resolver at the domain controller before running the tool.
Default protocols
When--audit is used without --protocols, RelayKing scans the following protocols by default:
http and https enables tier-0 HTTP relay path analysis. RelayKing automatically detects ADCS (/certsrv/) and SCCM (/ccm_system_windowsauth) endpoints and enumerates every NTLM-enabled HTTP path on those hosts.
HTTP/HTTPS path enumeration is significantly slower — each host is checked against approximately 60 NTLM-enabled paths using 20 worker threads per main thread. Expect a much longer scan duration when these protocols are included.
Ghost SPN check
Ghost SPN detection runs automatically during every--audit scan when credentials are present. RelayKing queries AD for Service Principal Names whose hostnames have no DNS record. An attacker who registers one of those missing DNS names can intercept NTLM authentication intended for that service.
Findings are written to possible-ghost-spns.txt alongside the main report. Up to five findings are included inline in the report itself to avoid cluttering output. Pass --no-ghosts to skip this check entirely.
Session files
Every--audit scan automatically creates a session file (relayking-session.resume) in the current directory. The session file path is printed at scan start. If the scan is interrupted, use --session-resume to pick up where you left off without re-running AD enumeration or re-scanning already-completed hosts. See Session resume for details.
Audit workflow
Gather credentials
Obtain any low-privilege domain account. The account does not need admin rights — read access to Active Directory is sufficient for enumeration and most protocol checks.
Confirm DNS connectivity
Verify your testing host can resolve domain computer FQDNs. A quick check:If resolution fails, pass
--dc-ip or update /etc/resolv.conf.Run the audit
The recommended command for a full-network audit:For a lighter scan without HTTP checks:
Review the session file
The session file path is printed at scan start:Keep this file. If the scan is interrupted, you can resume with:
Review findings
When the scan completes, check the output files:
relayking-scan.txt— human-readable report with relay paths sorted by severityrelayking-scan.json— machine-readable results for further processingrelaytargets.txt— relay target list ready forntlmrelayx.py -tfpossible-ghost-spns.txt— full Ghost SPN findings (if any were found)