Skip to main content
RelayKing is designed for authorized penetration testing and Active Directory security assessments only. Always obtain written authorization before scanning any network. In --audit mode, RelayKing is not OPSEC-safe and will be detectable.

Prerequisites

Make sure RelayKing is installed before continuing.

Choose your scan type

The recommended approach for a full AD engagement. Requires low-privilege domain credentials and proper DNS configuration.
python3 relayking.py \
  -u 'lowpriv' -p 'lowpriv-password' \
  -d client.domain.local \
  --dc-ip 10.0.0.1 \
  -vv \
  --audit \
  --protocols smb,ldap,ldaps,mssql,http,https \
  --threads 10 \
  -o plaintext,json \
  --output-file relayking-scan \
  --proto-portscan \
  --ntlmv1 \
  --gen-relay-list relaytargets.txt
This produces relayking-scan.txt, relayking-scan.json, and relaytargets.txt (ready for ntlmrelayx.py).

Full audit mode walkthrough

1

Verify DNS is working

RelayKing needs to resolve AD computer names. Either set --dc-ip to point to your DC (which also serves DNS), or verify /etc/resolv.conf points to the domain DNS server.
nslookup dc01.client.domain.local 10.0.0.1
2

Run the audit

Execute with --audit to enumerate all computers from Active Directory:
python3 relayking.py \
  -u 'lowpriv' -p 'lowpriv-password' \
  -d client.domain.local \
  --dc-ip 10.0.0.1 \
  -vv \
  --audit \
  --protocols smb,ldap,ldaps,mssql,http,https \
  --threads 10 \
  -o plaintext,json \
  --output-file relayking-scan \
  --proto-portscan \
  --ntlmv1 \
  --gen-relay-list relaytargets.txt
RelayKing will display the session file path so you can resume if interrupted.
3

Review relay paths

After scanning, RelayKing’s relay path analyzer automatically identifies and prioritizes viable attack paths. Check the output for CRITICAL and HIGH severity findings first.Relay paths are sorted by severity: CRITICAL → HIGH → MEDIUM → LOW
4

Use the relay list with ntlmrelayx

Feed the generated relaytargets.txt directly to Impacket’s ntlmrelayx.py:
python3 ntlmrelayx.py -tf relaytargets.txt -smb2support
Always use --proto-portscan with your scans. It performs a fast port scan before protocol checks, skipping closed ports and dramatically speeding up the scan. The default of 10 threads is already fast — use --proto-portscan rather than increasing thread count.

What happens during a scan

  1. Target acquisition — RelayKing enumerates all AD computers via LDAP (--audit), or parses your provided targets (CIDR, file, individual host).
  2. Port scanning — With --proto-portscan, only open ports are checked per protocol.
  3. Protocol scanning — Each host is checked for relay vulnerabilities across selected protocols.
  4. Advanced detection — Ghost SPNs, NTLM reflection, WebDAV, coercion vulnerabilities, and CVEs are evaluated.
  5. Relay path analysis — Results are cross-referenced to identify and prioritize viable relay attack paths.
  6. Output — Findings are written in your chosen format(s).

Next steps

Command reference

Explore every available flag and option.

Audit mode guide

Deep dive into Active Directory audit mode.

Relay path analysis

Understand how relay paths are identified and prioritized.

Output formats

Configure output formats and relay list generation.

Build docs developers (and LLMs) love

Get started for freeTalk to us