A tool for checking HTTP servers to see if they may be vulnerable to NTLM relay attacks. In order to prevent NTLM relay, IIS servers must both use HTTPS and require Channel Binding Tokens (CBT). The configuration enabling CBT is also known as Extended Protection for Authentication (EPA).
The script will send one authentication request with CBT enabled, and one with CBT disabled. It will attempt to watch for invalid responses with the first request to avoid account lockouts.
If the authentication request without CBT succeeds, this indicates that the server is configured with CBT/EPA Disabled or Enabled, but not Required.
git clone https://github.com/missing0x00/http-relay-check
cd http-relay-check
virtualenv venv
source venv/bin/activate
python3 -m pip install -r requirements.txt
python3 http-relay-check.py -h
Provide target URL and valid domain user credentials to authenticate.
usage: http-relay-check.py [-h] -u USERNAME -d DOMAIN -p PASSWORD url
positional arguments:
url Target URL
options:
-h, --help show this help message and exit
-u USERNAME Username
-d DOMAIN AD Domain
-p PASSWORD Password
python3 http-relay-check.py https://CA.domain.local/CertSrv/certfnsh.asp -d domain.local -u username -p password
Access denied: Server did not respond with NTLM challenge token
Target URL does not support NTLM; may require Kerberos authentication.
- Microsoft - Extended Protection documentation
- @HackAndDo - NTLM relay - Detailed explanation of TLS Binding
- @zyn3rgy - LdapRelayScan - Inspiration for this tool
- Will Schroeder and Lee Christensen - ADCS attacks including ESC8 - HTTP NTLM relay
- Impacket - ntlmrelayx