How paths are identified
The analysis follows a six-step algorithm:- Identify sources — Protocols without signing or Extended Protection for Authentication (EPA) enforcement are candidates for coerced or captured authentication.
- Identify destinations — Protocols that are accessible and relayable on each host become potential relay destinations.
- Cross-reference — Sources are matched to viable destinations to form candidate paths.
- Prioritize — Each path is assigned an impact level based on the destination protocol and host role.
- Filter — Impossible or redundant paths are removed (e.g., non-Windows hosts are skipped; cross-protocol SMB paths are omitted unless NTLMv1 is confirmed).
- Output — Paths are sorted by priority and presented in the report.
Severity levels
CRITICAL
- Relay to LDAP or LDAPS without signing/channel binding protections — enables computer account creation, ACL modification, RBCD abuse, and domain compromise.
- Relay to HTTP/HTTPS on an ADCS server (
/certsrv/) or confirmed tier-0 asset — certificate enrollment abuse (ESC8) leading to domain compromise. - CVE-2025-54918 on an unpatched Server 2025 DC with PrintSpooler enabled — RPC coercion → LDAPS reflection bypassing channel binding.
- NTLMv1 cross-protocol relay to LDAP or LDAPS — NTLMv1 lacks MIC support, enabling relay with
--remove-miceven when signing is enforced.
HIGH
- Relay to SMB without signing — file system access, potential code execution via services.
- Relay to MSSQL without EPA — database access, potential code execution via
xp_cmdshell. - CVE-2019-1040 (Drop the MIC) — unpatched host allows MIC stripping for SMB-to-LDAP/LDAPS cross-protocol relay using
ntlmrelayx --remove-mic. Reported as HIGH. - WebClient service enabled — the host can be coerced to authenticate to an attacker-controlled WebDAV share.
MEDIUM
- Relay to HTTP/HTTPS without EPA on a non-tier-0 host — application access with no channel binding protection.
- CVE-2025-54918 on any unpatched Server 2025 host (non-DC, or DC without confirmed PrintSpooler) — vulnerable to NTLM reflection.
- Ghost SPN paths — SPN registered to an account whose hostname has no DNS record; registering the missing name intercepts NTLM authentication.
LOW
- Other protocols (SMTP, IMAP, WinRM, RPC) that are accessible but have limited relay impact in typical scenarios.
High-value target escalation
Relay paths targeting ADCS servers (detected via/certsrv/ HTTP endpoint) or tier-0 assets (SCCM, Exchange, confirmed ADCS via LDAP) are escalated to CRITICAL regardless of the underlying protocol severity. RelayKing identifies these assets automatically via LDAP enumeration during --audit mode and via HTTP /certsrv/ endpoint detection during HTTP scanning.
Tier-0 asset detection
RelayKing automatically identifies ADCS, SCCM, and Exchange servers and escalates HTTP/HTTPS relay paths against them to CRITICAL severity (ESC8 certificate enrollment abuse or application-level domain compromise).Detection methods
| Asset type | How detected |
|---|---|
| ADCS (Certificate Authority) | LDAP query for pKIEnrollmentService objects in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,...; also detected via HTTP GET /certsrv/ returning 401 with NTLM or Negotiate in WWW-Authenticate |
| SCCM | LDAP query for mssmssite objects; hostname heuristics (sccm, mecm, configmgr) |
| Exchange | LDAP query for members of the Exchange Trusted Subsystem group |
ca is intentionally excluded from hostname heuristics because it matches too many non-ADCS hosts (e.g., Exchange CAS servers).
Impact
Any relayable HTTP or HTTPS service on a tier-0 asset receives CRITICAL severity, regardless of EPA enforcement status, because the relay target has outsized impact:- ADCS — Certificate enrollment abuse (ESC8) can issue a certificate for any domain account, enabling full domain compromise.
- SCCM — Relay to SCCM management points allows device enrollment, script execution, and lateral movement.
CVE-specific paths
CVE-2025-54918
RelayKing checks the Update Build Revision (UBR) read from each host’s registry during scanning. Windows Server 2025 hosts with build 26100 and UBR below 6584 are flagged as unpatched.- Any unpatched Server 2025 host → MEDIUM
- Unpatched Server 2025 DC with PrintSpooler enabled → CRITICAL (RPC coercion → LDAPS reflection)
CVE-2019-1040 (Drop the MIC)
Hosts below the June 2019 patch threshold are flagged HIGH. The MIC field can be stripped from NTLM messages, enabling cross-protocol relay from SMB to LDAP or LDAPS. Usentlmrelayx --remove-mic to exploit this path.
NTLM reflection paths
CVE-2025-33073 covers hosts where SMB authentication can be relayed back to other services on the same host. When detected, RelayKing reports the specific protocols involved (e.g.,SMB → LDAP/HTTPS) as a HIGH severity path.
Cross-protocol SMB relay paths
Cross-protocol SMB relay paths (SMB → LDAP) are only shown when
--ntlmv1 or --ntlmv1-all is used and NTLMv1 usage is actually confirmed. NTLMv2 includes a Message Integrity Code (MIC) that prevents cross-protocol relay. Without confirmed NTLMv1, these paths are not generated.- SMB → LDAP with
--remove-mic— can create computer accounts, modify ACLs. - SMB → LDAPS with
--remove-mic— same impact, encrypted channel.
Ghost SPN paths
Ghost SPN findings are injected as MEDIUM severity paths. Up to five findings are shown in the main report; the full list is written topossible-ghost-spns.txt. Each path identifies the SPN, the account it is registered to, and the missing hostname that an attacker could register.
Severity logic
The severity rating logic is a work in progress. Not all scenarios and protocol combinations are accounted for. The goal is to cover all known relay primitives — contributions and pull requests for edge cases are welcome.