Metasploit Wrap-Up 03/27/2026

src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md

@@ -152,6 +152,21 @@ python3 relayking.py --null-auth --protocols smb,ldap,http --proto-portscan -o p
 
 These tools and techniques form a comprehensive set for conducting NTLM Relay attacks in various network environments.
 
+### Metasploit SMB relay: client compatibility and single-vs-multi target behavior
+
+Metasploit's SMB relay server has an **important client-behavior dependency** when you try to relay **one inbound SMB authentication to multiple targets**. The classic multi-target flow depends on the SMB client reacting to `STATUS_NETWORK_SESSION_EXPIRED` like Windows `net use` does. Many clients do **not** retry in the required way, so the relay can fail even when the targets themselves are relayable.
+
+Operationally, this means:
+
+- **Single relay target**: Metasploit can **forward the Net-NTLM messages immediately** instead of depending on the client to recover from `STATUS_NETWORK_SESSION_EXPIRED`. This improves compatibility with clients such as Linux `smbclient`.
+- **Multiple relay targets**: reliability still depends on the **client-side retry semantics**. If the authenticating client behaves like Windows `net use`, one inbound auth can be replayed against multiple downstream targets more reliably.
+- **RubySMB-originated auth**: recent RubySMB changes mimic `net use`, so **RubySMB clients can participate in multi-target relay flows** that previously failed.
+
+Practical takeaway:
+
+- If a relay works from `net use` but fails from another SMB client, test the **same target set with only one relay destination** before assuming SMB signing or target hardening is blocking you.
+- When validating a relay path in Metasploit, distinguish between **target-side protections** and **source-client incompatibility**. A failed multi-target run may still be exploitable with a single-target configuration.
+
 ### Abusing WSUS HTTP (8530) for NTLM Relay to LDAP/SMB/AD CS (ESC8)
 
 WSUS clients authenticate to their update server using NTLM over HTTP (8530) or HTTPS (8531). When HTTP is enabled, periodic client check-ins can be coerced or intercepted on the local segment and relayed with ntlmrelayx to LDAP/LDAPS/SMB or AD CS HTTP endpoints (ESC8) without cracking any hashes. This blends into normal update traffic and frequently yields machine-account authentications (HOST$).
@@ -351,6 +366,6 @@ You now own **NT AUTHORITY\SYSTEM**.
 - [Microsoft – WSUS deprecation announcement](https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-server-update-services-wsus-deprecation/4250436)
 - [RelayKing v1.0](https://github.com/depthsecurity/RelayKing-Depth)
 - [Depth Security – Introducing RelayKing: Relay to Royalty](https://www.depthsecurity.com/blog/introducing-relayking-relay-to-royalty/)
+- [Rapid7 – Metasploit Wrap-Up 03/27/2026](https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-03-27-2026/)
 
 {{#include ../../banners/hacktricks-training.md}}
-