NTLM Relaying

30.04.2024 ยท dadevel

Domain Escalation trough NTLM Relaying.

NTLM relay techniques (source)

General Steps:

  1. Coerce a NTLM Relay Source to authenticate to your system
  2. Forward incoming authentication request from your system to a NTLM Relay Sink

As rule of thumb SMB can be relayed everywhere with NTLMv1 and with NTLMv2 only to SMB and HTTP. HTTP can be relayed everywhere, including LDAP. Source and sink must always be different systems.

Note: If impacket-ntlmrelayx fails to forward an incoming authentication request with Unsupported MechType 'NEGOEX - SPNEGO Extended Negotiation Security Mechanism', the source is probably a Linux system running Samba.

References: