Why crack passwords when you can just relay?

NTLM Relaying is the process of directing credentials that are captured by an attacker and forwarding those to another machine for processing. If successful, the technique can be used to circumvent the strictest password policy or Privileged Access Management Solution (PAM). Relaying of credentials can be useful in establishing a presence on a workstation, retrieving information on an Active Directory Domain (AD), or escalating privileges on the AD Domain. The best part for an operator is that this an be done without knowledge of what the clear-text password of the user is. This talk will be full of pre-recorded demonstrations, and will cover defensive tactics that can be implemented to prevent against this attack. Demonstrations will show:

  • How to perform relaying with both Responder and mitm6
  • Using NTLMrelayx to relay those creds to other hosts and domain controllers
  • Using NTLM Relaying to perform other reconnaissance using BloodHound.
  • Using NTLM relaying to obtain DCSync privileges without even touching a console.
  • How SMBSigning can be used to prevent everything above.

Octavio has presented at several local conferences on pen testing techniques and powershell, and has offered training at BSides and DFIR conferences. Octavio use to be part of the operator training pipeline in the Annapolis Junction area.