ghostsurf: From NTLM Relay to Browser Session Hijacking

**Ghostsurf** is a fork of `ntlmrelayx` that reworks the relay and SOCKS proxy to support interactive browser access through relayed NTLM-authenticated sessions. The author explains why the original `ntlmrelayx` SOCKS plugin fails with browsers (stateful NTLM tied to TCP, request collisions, and the tool’s basic-auth session-selection UX), introduces serialization of requests via a mutex, preserves browser headers, and implements an IIS/HTTP.sys kernel-mode workaround that probes paths to avoid dropping authenticated sessions; usage guidance, caveats (single TCP session, no WebSocket support), and example targets (enterprise password managers and other IIS sites) are provided.