NTLM / Relaying

After successfully forcing a victim to authenticate with LM or NTLM to an attacker's server, the attacker can try to relay that authentication to targets of his choosing. Depending on the mitigations in place, he will be able to move laterally and escalate privileges within an Active Directory domain.

The NTLM authentication messages are embedded in the packets of application protocols such as SMB, HTTP, MSSQL, SMTP, IMAP. The LM and NTLM authentication protocols are "application protocol-independent". It means one can relay LM or NTLM authentication messages over a certain protocol, say HTTP, over another, say SMB. That is called cross-protocols LM/NTLM relay. It also means the relays and attacks possible depend on the application protocol the authentication messages are embedded in.

The chart below sums up the expected behavior of cross-protocols relay attacks depending on the mitigations in place (original here). All the tests and results listed in the chart were made using Impacket's ntlmrelayx (Python).

NTLM relay mitigation chart.Cwqkh2tu.png

The following mindmap sums up the overall attack paths of NTLM relay. Gabriel Prudhomme explains how to read it here: BHIS | Coercions and Relays – The First Cred is the Deepest (at 08:00).

NTLM relay.C4GvGhyz.png

Session signing

Session signing is a powerful but limited mitigation against NTLM relay that only SMB and LDAP can use.

SMB signing works in a "least requirements" way. If neither the client or the server require signing, the session will not be signed (because of performance issues)
LDAP signing works in a "most requirements" way. If both the client and the server support signing, then they will sign the session