--[ BIRDBOX: If You See It, It's Already Too Late
--[ presenter ]--[ George Sieretzki
--[ scheduled ]--[
$ getent passwd gsieretzki . ├─ name: George Sieretzki └── org: ARE CYBERCOM
Major George Sieretzki is an Army Intelligence officer assigned to ARE USCYBERCOM. In his civilian career George is a penetration tester who over the last two decades has conducted hundreds of assessments for government and commercial customers. United Airlines once paid him 50,000 travel miles for a bug bounty which he promptly had to pay taxes on, ..but never used because he flies Southwest.
Did you know that as you sit working behind your MS Windows workstation, you may be unwittingly aiding an aggressor by sending them your credentials?! In this presentation will introduce "forced authentication attacks", or "NTLM relay" attacks in the MS Domain environment. We will look at a number different types of triggers for these attacks including BIRDBOX, ADIDNS, WPAD, DHCP, HTTP, EFSRPC, and maybe more. We will examine some common tools, example payloads, limitations, mitigations, and one or two live (fingers crossed) demos.