NTLM relay attacks have been a well-known opportunity to perform attacks against Microsoft Windows environments for a while and they remain usually successful. The magic with NTLM relay attacks? You don’t need to lose time to crack the hashes, just relay them to the victim machine. To achieve this, we need a “responder” that will capture the authentication session on a system and relay it to the victim. A lab is easy to setup: Install the Responder framework[1]. The framework contains a tool called MultiRelay.py which helps to relay the captured NTLM authentication to a specific target and, if the attack is successful, execute some code! (There are plenty of blog posts that explain in details how to (ab)use of this attack scenario).
I was aware of a case where attackers implemented an NTLM relay on a first victim's host and waited for some SMB authentication. The vulnerability scanner used credentials to perform an authenticated scan and its connection details were automatically reused to pivot internally and infect more hosts. Seen that such users have more rights to do their job, it's always an interesting candidate for attackers. So keep in mind that using security tools could also introduce some new risks! By the way, how to protect yourself against this type of attack? Use SMBv3 and enable SMB signing[2]! Xavier Mertens (@xme) |
Xme 687 Posts ISC Handler May 16th 2019 |
Thread locked Subscribe |
May 16th 2019 3 years ago |
One way to detect this is to look for logins by the vulnerability scanner service account that are NOT from (source IP) the vulnerability scanner(s).
Craig Bowser SEC555 Mentor |
Anonymous |
Quote |
May 16th 2019 3 years ago |
If we instead use certificate based authentication, this should not be an issue?
|
Adi 2 Posts |
Quote |
May 17th 2019 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!