NTLM relay, the attack that keeps on gicing

As an attacker in a Windows environment, getting high privileges and access sensitive data often requires abusing Active Directory capabilities and its myriad of supported protocols. NTLM (New Technology Lan Manager) – the dinosaur of authentication protocols – still has many happy days ahead although there are significantly better alternatives available.

After years of abusing NTLM relay and with the rise of dedicated tools, several protocol issues have been addressed by Microsoft (PrivExchange, Drop the MIC 1 and 2, relaying to RPC, PetitPotam) and measures exist for services to enforce integrity checks and avoid relay attacks. However, due to backward compatibility and misconfigurations, this technique can be used to this day.

In this talk, we discuss vulnerabilities identified during the last two years (CVE-2020-1113 by myself and CVE-2021-26414 by another individual first) and review the remaining attack surface.