NTLM Relay Attacks: A Persistent Threat in Domain Environments

By /

Listen to this Post

Despite being around for a long time, NTLM relay attacks remain one of the most effective methods to compromise domain-joined systems. SpecterOps has introduced new NTLM relay edges in BloodHound to visualize these attack paths. For a deeper dive, check out Elad Shamir’s detailed analysis: https://ghst.ly/4lv3E31.

You Should Know:

1. Understanding NTLM Relay Attacks

NTLM relay attacks exploit the NTLM authentication protocol by intercepting and relaying authentication requests to other systems, allowing attackers to gain unauthorized access.

2. Key Commands and Tools

  • Impacket’s ntlmrelayx.py: 
    python3 ntlmrelayx.py -t ldap://DOMAIN_CONTROLLER -smb2support

    This command sets up a relay server targeting a domain controller via LDAP.

  • Responder for Capturing Hashes: 

    python3 Responder.py -I eth0 -dwv

Enables hash capture on the network interface (`eth0`).

  • Mitigating with SMB Signing:
    Ensure SMB signing is enforced to prevent relay attacks: 

    Set-SmbClientConfiguration -RequireSecuritySignature $true

3. BloodHound Integration

SpecterOps’ BloodHound now visualizes NTLM relay attack paths. Use the following query to identify vulnerable edges: 

MATCH p=(n)-[:NTLM_RELAY1..]->(m) RETURN p

4. Defensive Measures

  • Disable NTLM: 
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5
  • Enable EPA (Extended Protection for Authentication): 
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "NTLMBlocked" -Value 1

5. Detection with Windows Event Logs

Monitor Event ID 4624 (logon events) and 4648 (explicit credential logons) for anomalies.

What Undercode Say:

NTLM relay attacks persist due to legacy systems and misconfigurations. Mitigation requires a layered approach:
– Enforce SMB Signing and disable NTLM where possible.
– Monitor authentication logs for suspicious relay attempts.
– Leverage BloodHound to map attack paths preemptively.

Expected Output:

A hardened domain environment with reduced NTLM relay attack surfaces, logged events for suspicious activities, and BloodHound visualizations for proactive defense.

For further reading, refer to the original SpecterOps article: https://ghst.ly/4lv3E31.

References:

Reported By: Jonas Bk – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: