Skip to content
feed: live
>_ 0dayNews
threat intel

Metasploit adds HTTP-to-SMB NTLM relay, RISC-V payloads

Rapid7's July 17 Metasploit wrap-up ships a Windows HTTP-to-SMB NTLM relay module, RISC-V shell payloads, and 421 new fetch-style variants. Check SMB signing tonight.

Metasploit adds HTTP-to-SMB NTLM relay, RISC-V payloads
Image: 0dayNews / 0dayNews Editorial · All rights reserved
fuse Marisol "Fuse" Delgado · Published · 3 min read

Rapid7’s Metasploit wrap-up landed on 2026-07-17 with one module worth reading before the rest of the drop: server/relay/http_to_smb — a Windows HTTP-to-SMB relay that takes incoming NTLM HTTP authentication and relays it to SMB targets to open a session against them. Contributed by jheysel-r7. That’s the whole news.

What to actually do

NTLM relay from HTTP to SMB is a documented technique with public tooling behind it already; what ships this week is a first-class Metasploit module for it.

Priority order for tonight:

  • Require and enforce SMB signing on every server, not just domain controllers. Group Policy Microsoft network server: Digitally sign communications (always) set to Enabled, and the client-side equivalent set the same. If you have to leave one exception, write it down and put a review date on it.
  • Turn off NTLM where you can, and where you can’t, restrict where NTLM traffic is accepted with the Restrict NTLM policies. Kerberos-only inside the estate is the destination; NTLM disabled outbound at the edge is the minimum.
  • Inventory what still triggers NTLM over HTTP. Intranet portals with Windows Integrated Authentication, print servers, MFP scan-to-share, WSUS, WebDAV endpoints, IIS sites nobody remembers standing up. Wherever a browser or an HTTP client can be walked into an NTLM prompt is the ingress the module’s server side consumes.
  • Confirm Extended Protection for Authentication (EPA) is on and channel binding is actually configured on inbound HTTP surfaces where NTLM is accepted — not just that the checkbox was ticked in a build spec somewhere.

None of that is a Metasploit reaction. It is the standing SMB-hardening list Microsoft has published for years. The module is the reason to open it back up tonight.

The rest of the drop

Two other pieces of the wrap-up matter for infrastructure planning, not for tonight’s on-call.

RISC-V shell payloads. The framework now carries 32-bit and 64-bit RISC-V shell payloads, both staged and stageless, plus four Byte XORi Encoder variants (contributor: bcoles) for the same architectures. Per Rapid7, coverage is for both target widths staged and stageless. For any fleet that already includes RISC-V hardware — embedded appliances, IoT gateways, dev-board deployments — Metasploit’s shell-payload coverage now extends to those hosts.

Linux Fetch Multi and 421 new payloads. Fetch payloads are the small stager-fetching primitives that pull the real payload down over FTP, HTTP, HTTPS, or TFTP after initial access. The Multi variant now identifies architecture on the fly at runtime, so a single payload does not need to be pre-picked for x86-64 versus ARM64 versus anything else. The 421 new Linux/Windows fetch-style payloads across those four protocols expand the variant space defenders using byte-signature detection have to enumerate. Detect on the behaviour (unusual outbound FTP, TFTP to internet destinations, HTTP GETs of small binary blobs from unfamiliar hosts), not the byte pattern.

Two smaller enhancements sit alongside those: CertificateTrace now surfaces the TLS peer certificate on HTTPS connections in framework logs, and the Windows service PE template moved to an injected-segment methodology. Neither changes anyone’s exposure. Both change the outputs and generated binaries the framework produces. Re-tune detection rules that were keyed on the prior artefacts when there is a slow week.

The priority call

SMB signing first. RISC-V asset inventory second — put a review date on the ticket rather than leave it open indefinitely. Retune EDR fetch-behaviour rules third, when there is time. The relay module is the reason to check the first item tonight rather than defer it again.

Related coverage: Metasploit Weekly Adds Flowise CSV, macOS PackageKit, Metasploit’s July 3 Drop: SMB-to-Meterpreter, Peyara.

Sources

Found this useful? Share it.