ghostsurf — browser session hijacking via NTLM relay

⚙️ Tools2026-04-06, 13:08
A tool for performing NTLM relay attacks against HTTP/HTTPS targets. Built on the ntlmrelayx module. It allows an attacker to browse a web application as the targeted user via an integrated SOCKS5 proxy.
Features: 📍 Supports multiple users with automatic active session selection. 📍 Bypasses IIS/HTTP.sys kernel‑mode authentication using a preliminary probe request. 📍 Preserves the User‑Agent and Cookie headers to maintain proper application behavior.
Unlike WebRelayX, ghostsurf does not scan HTTP/HTTPS resources for NTLM authentication.
📎 Research: https://specterops.io/blog/2026/04/02/ghostsurf-from-ntlm-relay-to-browser-session-hijacking/
📎 Tool: https://github.com/senderend/ghostsurf
💬 Discuss
Vendors
Specterops
Github
Senderend
Products
Ghostsurf
Http.Sys
Iis
Ntlmrelayx
Webrelayx
Published
2026-04-06, 13:08