NTLM Relay

Locating Targets

NTLM relaying is the essence of black-box network penetration tests. Intercepted or coerced authentication attempts can be relayed to a variety of protocols for different effects - most of them resulting in some level of initial access. Microsoft has implemented protections for all of the listed protocols, but 95% of Active Directory environments are still misconfigured and vulnerable.

SMB

Servers lacking SMB signing allow you to access network file shares or fully compromise the machine if you relay an Administrator.

nxc smb 10.10.10.0/24 --gen-relay-list relayable.txt

LDAP/LDAPS

Domain Controllers lacking LDAPS channel binding or LDAP message signing allow you to get an authenticated LDAP session as your relayed victim. This opens up a variety of attacks - relaying a Domain Admin allows you to create a new backdoor Domain Admin account, relaying a computer allows you to perform an RBCD attack, etc. The most common result is the creation of a foothold computer account by a low-privilege user, but the possibilities are huge. I made a tool called tango.py that automates this and the next few checks.

python tango.py -d contoso.com -ns 10.10.10.10 -r 10.10.10.0/24

ADCS

Certification authorities that support web-based certificate enrollment may be vulnerable to the ESC8 attack if they accept NTLM authentication. This is pretty easy to check manually once you know which server the CA is - just curl the /certsrv/ endpoint and look for a WWW-Authenticate: NTLM header in the response.

ESC8 allows you to request certificates for authentication on behalf of your relayed victim - fully compromising the user or machine. This is commonly paired with coercion to fully compromise domain controllers as an authenticated user.

tango.py will find the CA web portal for you as well.

MSSQL

Last but not least are MSSQL servers. There isn't a great way to check for relay protections on them, so I typically just port scan the network for 1433 and test them all. tango.py does this as well.

Impacket Relays

There's a lot of tools out there that can handle the above attacks but above them all is ntlmrelayx. This is a flexible tool that can handle any required protocols and comes with tons of post-relay options. Below are two relays I use on almost every test, one for LDAP shell farming and the other for exploiting ESC8.

LDAP from HTTP Auth

ntlmrelayx.py -6 -t ldap://10.0.10.10 --no-da --no-acl --no-dump -of LOG --no-smb-server --no-validate-privs --keep-relaying -i

ESC8 from SMB/HTTP Auth

Keep in mind that certificate templates can be renamed, disabled or changed in other ways. You may need to add --template for Domain Controller templates, for example.

ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs -of LOG

PreviousProtocol Poisoning and Coercion NextAD Certificate Services

Last updated 4 months ago