The Setup That Looked Easy

Internal pentest. Low-privileged domain credentials provided by the client. Standard assumed-breach scenario.

Initial recon painted a promising picture:

nxc smb 10.10.10.0/24 -u testuser -p 'Provided2025!' --gen-relay-list relay.txt

Both Domain Controllers — SMB signing disabled. Coercion scan confirmed every flavor was on the menu:

nxc smb 10.10.10.11 -u testuser -p 'Provided2025!' -M coerce_plus
SMB  10.10.10.11  445  DC02  VULNERABLE, DFSCoerce
SMB  10.10.10.11  445  DC02  VULNERABLE, PetitPotam
SMB  10.10.10.11  445  DC02  VULNERABLE, PrinterBug
SMB  10.10.10.11  445  DC02  VULNERABLE, MSEven

SMB signing off on DCs + every coercion technique working = textbook relay scenario. Should be straightforward. Right?