NTLM Relay Attacks: Exploiting Authentication in Active Directory

Introduction to NTLM Relay Attacks

NTLM Relay attacks are a sophisticated technique used by attackers to exploit the NTLM authentication protocol in Windows networks. These attacks allow an attacker to intercept and relay authentication attempts to gain unauthorized access to network resources, potentially leading to lateral movement and privilege escalation within an Active Directory environment.

How NTLM Relay Attacks Work

NTLM Relay attacks exploit a fundamental weakness in the NTLM protocol: the lack of mutual authentication. Here's a step-by-step breakdown of how these attacks typically unfold:

1. The attacker positions themselves between a client and a server (Man-in-the-Middle).
2. The client initiates an authentication request to the server.
3. The attacker intercepts this request and forwards it to the target server.
4. The target server responds with an NTLM challenge.
5. The attacker relays this challenge back to the client.
6. The client, believing it's communicating with the intended server, responds to the challenge.
7. The attacker relays the client's response to the target server, completing the authentication.
8. The attacker now has an authenticated session with the target server, impersonating the client.

Types of NTLM Relay Attacks

There are several variations of NTLM Relay attacks, each targeting different protocols or services:

SMB Relay: Relaying NTLM authentication to access file shares or execute commands via SMB.
LDAP Relay: Relaying authentication to perform operations on the Active Directory database.
HTTP Relay: Exploiting web-based authentication to access protected resources or execute actions.
MSSQL Relay: Relaying authentication to gain access to Microsoft SQL Server instances.

Tools Used for NTLM Relay Attacks

Several tools are commonly used to perform NTLM Relay attacks:

Responder: A powerful tool for poisoning LLMNR/NBT-NS responses and capturing NTLM hashes.
ntlmrelayx (Impacket): A versatile tool for performing various types of NTLM Relay attacks.
Metasploit: Contains modules for NTLM Relay attacks, integrated into a comprehensive penetration testing framework.
Inveigh: A Windows PowerShell LLMNR/NBNS spoofer and man-in-the-middle tool.

Command Examples for NTLM Relay Attacks

Here are some command examples demonstrating NTLM Relay attacks using different tools:

python3 ntlmrelayx.py -t smb://192.168.1.100 -smb2support

Use ntlmrelayx to perform an SMB Relay attack

python3 ntlmrelayx.py -t ldap://192.168.1.10 -escalate-user user1

Perform an LDAP Relay attack and escalate privileges for user1

python3 ntlmrelayx.py -tf targets.txt -smb2support -c "whoami /all"

Relay to multiple targets and execute a command

Detecting NTLM Relay Attacks

Detecting NTLM Relay attacks can be challenging, but there are several indicators and techniques that can help:

Monitor for multiple failed logon attempts followed by successful ones, especially from unexpected source IP addresses.
Look for discrepancies between the source IP of the authentication request and the workstation name in the logon event.
Analyze Windows Event logs, particularly Event ID 4624 (successful logon) and 4625 (failed logon).
Use network traffic analysis tools to identify suspicious NTLM traffic patterns.
Implement and monitor honeypot accounts that should never be used for legitimate authentication.
Utilize advanced security information and event management (SIEM) solutions with user behavior analytics capabilities.

Command Examples for Detection

Here are some command examples to help detect potential NTLM Relay attacks:

Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} | Where-Object {$_.Properties[8].Value -eq 3 -and $_.Properties[18].Value -ne $_.Properties[11].Value}

PowerShell command to identify logons where the source IP doesn't match the workstation name

netsh trace start capture=yes tracefile=c:\ntlm_trace.etl

Start a network trace to capture NTLM traffic for analysis

Mitigating NTLM Relay Attacks

To mitigate the risks associated with NTLM Relay attacks, consider implementing the following strategies:

Enable SMB Signing on all systems to prevent SMB Relay attacks.
Implement LDAP signing and channel binding to protect against LDAP Relay attacks.
Use Extended Protection for Authentication (EPA) on web servers to prevent HTTP-based relay attacks.
Disable NTLM authentication where possible and use Kerberos instead.
Implement the principle of least privilege to limit the impact of successful attacks.
Use Network Access Control (NAC) solutions to prevent unauthorized devices from connecting to the network.
Regularly patch and update systems to address known vulnerabilities.
Implement strong network segmentation to limit the potential for lateral movement.
Use multi-factor authentication (MFA) to add an extra layer of security.
Educate users about the risks of connecting to untrusted networks and the importance of strong, unique passwords.

Command Examples for Mitigation

Here are some command examples to help implement mitigation strategies:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Name RequireSecuritySignature -Value 1 -Force

Enable SMB Signing via PowerShell

nltest /sc_reset:domain.com

Reset the secure channel between a machine and the domain to enforce LDAP signing

Set-ADDomainController -Identity DC01 -LDAPServerIntegrity RequireSigning

Enforce LDAP signing on a domain controller

Conclusion

NTLM Relay attacks remain a significant threat in Active Directory environments, allowing attackers to move laterally and escalate privileges with relative ease. By understanding how these attacks work, implementing robust detection mechanisms, and following best practices for mitigation, organizations can significantly reduce their exposure to this risk. Remember, security is an ongoing process, and staying informed about the latest attack techniques and defense strategies is crucial in maintaining a strong security posture against NTLM Relay and other advanced persistent threats.