Advanced Credential Relaying Techniques and How to Thwart Them
NTLM Relay is one of the oldest and most popular attack techniques, which can have a devastating effect on an organization. Consequently, Microsoft has developed various mitigations over the years to thwart such attacks. We will discuss the most significant mitigations such as session signing, the message integrity code (MIC) and enhanced protection for authentication (EPA). We will review the previous vulnerabilities we have discovered allowing us to bypass all these mitigations and perform NTLM Relay against any desired target, located either in the on-prem perimeter or in the cloud, federated by an ADFS server. We will then present several new vulnerabilities we discovered in the infamous NTLM protocol, which allowed us to remove the MIC yet again (AKA Drop the MIC 2), and target clients which send LMv2 responses to perform NTLM Relay while tampering with any desired field in the authentication message. In addition, we will talk about the advances made on the defensive side to further battle credential relaying, one of which is changing the default configuration to enable LDAP signing and LDAPS channel binding starting of January 2020.