fortra · emilyastranova · Aug 20, 2025 · Oct 6, 2025 · Oct 6, 2025 · Oct 6, 2025
diff --git a/examples/ntlmrelayx.py b/examples/ntlmrelayx.py
@@ -53,7 +53,7 @@
 
 from impacket import version
 from impacket.examples import logger
-from impacket.examples.ntlmrelayx.servers import SMBRelayServer, HTTPRelayServer, WCFRelayServer, RAWRelayServer, RPCRelayServer, WinRMRelayServer, WinRMSRelayServer
+from impacket.examples.ntlmrelayx.servers import SMBRelayServer, HTTPRelayServer, WCFRelayServer, RAWRelayServer, RPCRelayServer, LDAPRelayServer, WinRMRelayServer, WinRMSRelayServer
 from impacket.examples.ntlmrelayx.utils.config import NTLMRelayxConfig, parse_listening_ports
 from impacket.examples.ntlmrelayx.utils.targetsutils import TargetsProcessor, TargetsFileWatcher
 from impacket.examples.ntlmrelayx.servers.socksserver import SOCKS
@@ -247,6 +247,8 @@ def start_servers(options, threads):
             c.setListeningPort(options.raw_port)
         elif server is RPCRelayServer:
             c.setListeningPort(options.rpc_port)
+        elif server is LDAPRelayServer:
+            c.setListeningPort(options.ldap_port)
 
         s = server(c)
         s.start()
@@ -299,13 +301,15 @@ def stop_servers(threads):
     serversoptions.add_argument('--no-wcf-server', action='store_true', help='Disables the WCF server')
     serversoptions.add_argument('--no-raw-server', action='store_true', help='Disables the RAW server')
     serversoptions.add_argument('--no-rpc-server', action='store_true', help='Disables the RPC server')
+    serversoptions.add_argument('--no-ldap-server', action='store_true', help='Disables the LDAP server')
     serversoptions.add_argument('--no-winrm-server', action='store_true', help='Disables the WinRM server')
 
     parser.add_argument('--smb-port', type=int, help='Port to listen on smb server', default=445)
     parser.add_argument('--http-port', help='Port(s) to listen on HTTP server. Can specify multiple ports by separating them with `,`, and ranges with `-`. Ex: `80,8000-8010`', default="80")
     parser.add_argument('--wcf-port', type=int, help='Port to listen on wcf server', default=9389)  # ADWS
     parser.add_argument('--raw-port', type=int, help='Port to listen on raw server', default=6666)
     parser.add_argument('--rpc-port', type=int, help='Port to listen on rpc server', default=135)
+    parser.add_argument('--ldap-port', type=int, help='Port to listen on ldap server', default=389)
 
     parser.add_argument('--no-multirelay', action="store_true", required=False, help='If set, disable multi-host relay (SMB and HTTP servers)')
     parser.add_argument('--keep-relaying', action="store_true", required=False, help='If set, keeps relaying to a target even after a successful connection on it')
@@ -519,6 +523,9 @@ def stop_servers(threads):
     if not options.no_rpc_server:
         RELAY_SERVERS.append(RPCRelayServer)
 
+    if not options.no_ldap_server:
+        RELAY_SERVERS.append(LDAPRelayServer)
+
     if targetSystem is not None and options.w:
         watchthread = TargetsFileWatcher(targetSystem)
         watchthread.start()

diff --git a/impacket/examples/ntlmrelayx/attacks/__init__.py b/impacket/examples/ntlmrelayx/attacks/__init__.py
@@ -60,10 +60,14 @@ def __init__(self, config, client, username, target=None, relay_client=None):
         self.config = config
         self.client = client
         # By default we only use the username and remove the domain
-        self.username = username.split('/')[1]
-        # But we also store the domain for later use
-        self.domain = username.split('/')[0]
-        # -- 
+        # We handle both slashes since the username can be in either format
+        if '\\' in username:
+            self.domain, self.username = username.split('\\')
+        elif '/' in username:
+            self.domain, self.username = username.split('/')
+        else:
+            self.domain = ''
+            self.username = username
         self.target = target 
         self.relay_client = relay_client
 

diff --git a/impacket/examples/ntlmrelayx/clients/ldaprelayclient.py b/impacket/examples/ntlmrelayx/clients/ldaprelayclient.py
@@ -164,6 +164,15 @@ def keepAlive(self):
             search_scope='BASE',
             attributes=['namingContexts'])
 
+    def login(self, user, password):
+        self.session.user = user
+        self.session.password = password
+        self.session.authentication = 'SIMPLE'
+        if self.session.bind():
+            return None, STATUS_SUCCESS
+        else:
+            return None, STATUS_ACCESS_DENIED
+
 class LDAPSRelayClient(LDAPRelayClient):
     PLUGIN_NAME = "LDAPS"
     MODIFY_ADD = MODIFY_ADD

diff --git a/impacket/examples/ntlmrelayx/servers/__init__.py b/impacket/examples/ntlmrelayx/servers/__init__.py
@@ -13,5 +13,6 @@
 from impacket.examples.ntlmrelayx.servers.wcfrelayserver import WCFRelayServer
 from impacket.examples.ntlmrelayx.servers.rawrelayserver import RAWRelayServer
 from impacket.examples.ntlmrelayx.servers.rpcrelayserver import RPCRelayServer
+from impacket.examples.ntlmrelayx.servers.ldaprelayserver import LDAPRelayServer
 from impacket.examples.ntlmrelayx.servers.winrmrelayserver import WinRMRelayServer
-from impacket.examples.ntlmrelayx.servers.winrmsrelayserver import WinRMSRelayServer
+from impacket.examples.ntlmrelayx.servers.winrmsrelayserver import WinRMSRelayServer