NTLM Relay
This article is not meant to be a tutorial to be followed in order to carry out a successful attack, but it will allow the reader to understand in detail the technical details of this attack, its limitations, and can be a basis to start developing his own tools, or understand how current tools work.
https://en.hackndo.com/ntlm-relay/
#ad #relay #ntlm #ntlmrelay
This article is not meant to be a tutorial to be followed in order to carry out a successful attack, but it will allow the reader to understand in detail the technical details of this attack, its limitations, and can be a basis to start developing his own tools, or understand how current tools work.
https://en.hackndo.com/ntlm-relay/
#ad #relay #ntlm #ntlmrelay
hackndo
NTLM Relay
NTLM relay is a technique of standing between a client and a server to perform actions on the server while impersonating the client. Protections such as SMB signing or MIC allow to limit the actions of an attacker. This article goes into detail about this…
APT
KrbRelay with RBCD Privilege Escalation The short step-by-step writeup about how to do the LPE with KrbRelay + RBCD on a domain-joined machine using KrbRelay + Rubeus: https://gist.github.com/tothi/bf6c59d6de5d0c9710f23dae5750c4b9 #ad #kerberos #relay #rbcd…
NTLMRelay2Self over HTTP
Just a walkthrough of how to escalate privileges locally by forcing the system you landed initial access on to reflectively authenticate over HTTP to itself and forward the received connection to an HTTP listener (ntlmrelayx) configured to relay to DC servers over LDAP/LDAPs for either setting shadow credentials or configuring RBCD.
https://github.com/med0x2e/NTLMRelay2Self
#ad #ntlm #relay #rbcd #redteam
Just a walkthrough of how to escalate privileges locally by forcing the system you landed initial access on to reflectively authenticate over HTTP to itself and forward the received connection to an HTTP listener (ntlmrelayx) configured to relay to DC servers over LDAP/LDAPs for either setting shadow credentials or configuring RBCD.
https://github.com/med0x2e/NTLMRelay2Self
#ad #ntlm #relay #rbcd #redteam
GitHub
GitHub - med0x2e/NTLMRelay2Self: An other No-Fix LPE, NTLMRelay2Self over HTTP (Webdav).
An other No-Fix LPE, NTLMRelay2Self over HTTP (Webdav). - med0x2e/NTLMRelay2Self
👍4
APT
NTLMRelay2Self over HTTP Just a walkthrough of how to escalate privileges locally by forcing the system you landed initial access on to reflectively authenticate over HTTP to itself and forward the received connection to an HTTP listener (ntlmrelayx) configured…
🛡️Defending the Three Headed Relay
This blog discusses possible attack paths and various protections associated with Kerberos Relay activity.
https://jsecurity101.medium.com/defending-the-three-headed-relay-17e1d6b6a339
#ad #kerberos #relay #mitigation #blueteam
This blog discusses possible attack paths and various protections associated with Kerberos Relay activity.
https://jsecurity101.medium.com/defending-the-three-headed-relay-17e1d6b6a339
#ad #kerberos #relay #mitigation #blueteam
APT
📜 Abuse AD CS via dNSHostName Spoofing This blog covers the technical details of CVE-2022-26923. Active Directory Domain Services Elevation of Privilege Vulnerability via AD CS dNSHostName Spoofing. https://research.ifcr.dk/certifried-active-directory-domain…
🛠 DNSHostName Spoofing combined with KrbRelayUp
Domain user to domain admin without the requirement for adding/owning previously a computer account. Step-by-step write-up of the attack in a pure Windows environment.
https://gist.github.com/tothi/f89a37127f2233352d74eef6c748ca25
#ad #adcs #privesc #ldap #relay #redteam
Domain user to domain admin without the requirement for adding/owning previously a computer account. Step-by-step write-up of the attack in a pure Windows environment.
https://gist.github.com/tothi/f89a37127f2233352d74eef6c748ca25
#ad #adcs #privesc #ldap #relay #redteam
Gist
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts - certifried_with_krbrelayup.md
🔥4
APT
KrbRelayUp Universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings) https://github.com/Dec0ne/KrbRelayUp #ad #privesc #kerberos #ldap #relay
⚙️ No-Fix LPE Using KrbRelay with Shadow Credentials
This article will explain how to separate the shadow credential method that KrbRelayUp uses into multiple different steps, giving you a bit more control regarding how each piece executes. For example, we can reflectively load some pieces, and execute others normally
https://icyguider.github.io/2022/05/19/NoFix-LPE-Using-KrbRelay-With-Shadow-Credentials.html
#ad #privesc #kerberos #relay
This article will explain how to separate the shadow credential method that KrbRelayUp uses into multiple different steps, giving you a bit more control regarding how each piece executes. For example, we can reflectively load some pieces, and execute others normally
https://icyguider.github.io/2022/05/19/NoFix-LPE-Using-KrbRelay-With-Shadow-Credentials.html
#ad #privesc #kerberos #relay
🔥4👍1
📡 Relaying to ADFS Attacks
Praetorian has developed and is releasing an open source tool ADFSRelay and NTLMParse, which can be used for performing relaying attacks targeting ADFS and analyzing NTLM messages respectively.
https://www.praetorian.com/blog/relaying-to-adfs-attacks/
#ad #adfs #relay #ntlm
Praetorian has developed and is releasing an open source tool ADFSRelay and NTLMParse, which can be used for performing relaying attacks targeting ADFS and analyzing NTLM messages respectively.
https://www.praetorian.com/blog/relaying-to-adfs-attacks/
#ad #adfs #relay #ntlm
Praetorian
Relaying to ADFS Attacks
Overview During red team engagements over the last few years, I’ve been curious whether it would be possible to authenticate to cloud services such as Office365 via a relay from New Technology Lan Manager (NTLM) to Active Directory Federation Services (ADFS).…
❤🔥5🔥1
📡 NTLMv1 vs NTLMv2: Digging into an NTLM Downgrade Attack
This article discusses the NTLM specifications to better understand how various aspects of the NTLM protocol function. As well as bypassing the SMB signature, relaying SMB to LDAP, and relaying NTLMv1 authentication attempts to the ADFS service.
https://www.praetorian.com/blog/ntlmv1-vs-ntlmv2/
#ad #ntlm #smb #relay
This article discusses the NTLM specifications to better understand how various aspects of the NTLM protocol function. As well as bypassing the SMB signature, relaying SMB to LDAP, and relaying NTLMv1 authentication attempts to the ADFS service.
https://www.praetorian.com/blog/ntlmv1-vs-ntlmv2/
#ad #ntlm #smb #relay
👍8
Forwarded from Волосатый бублик
#ad #relay #webdav #ldap
[ DavRelayUp ]
https://github.com/Dec0ne/DavRelayUp
[ DavRelayUp ]
A port of #KrbRelayUp with modifications to allow for NTLM relay from WebDAV to LDAP and abuse #RBCD in order achieve #LPE in domain-joined windows workstations where LDAP signing is not enforced.Thanks to: Руслан
https://github.com/Dec0ne/DavRelayUp
❤5🔥1
🪄 Red Wizard
This tool automates the deployment of a comprehensive infrastructure with redirectors, backend systems, phishing relays, OSINT machines, and more. It is designed to be user-friendly, providing wizards to walk administrators and Red Team operators through the deployment process. The infrastructure is also self-documenting, making the sharing of all relevant details to the team of operators an effortless task.
🌐 Details:
https://www.secura.com/blog/red-wizard-1
#redteam #relay #infrastructure #phishing
This tool automates the deployment of a comprehensive infrastructure with redirectors, backend systems, phishing relays, OSINT machines, and more. It is designed to be user-friendly, providing wizards to walk administrators and Red Team operators through the deployment process. The infrastructure is also self-documenting, making the sharing of all relevant details to the team of operators an effortless task.
🌐 Details:
https://www.secura.com/blog/red-wizard-1
#redteam #relay #infrastructure #phishing
🔥5
This media is not supported in your browser
VIEW IN TELEGRAM
🔄 Active Directory GPOs through NTLM relaying, and more!
Learn about a attack vector that exploits GPOs through NTLM relaying, potentially allowing unauthenticated attackers to abuse.
🌐 Source:
https://www.synacktiv.com/publications/gpoddity-exploiting-active-directory-gpos-through-ntlm-relaying-and-more
#ad #gpo #relay #ntlm
Learn about a attack vector that exploits GPOs through NTLM relaying, potentially allowing unauthenticated attackers to abuse.
🌐 Source:
https://www.synacktiv.com/publications/gpoddity-exploiting-active-directory-gpos-through-ntlm-relaying-and-more
#ad #gpo #relay #ntlm
🔥10👍3
🔑 Three-Headed Potato Dog: NTLM and Kerberos Coercion
New research demonstrates how DCOM can coerce Windows systems to authenticate remotely, allowing attackers to relay NTLM or Kerberos authentication to AD CS over HTTP. This enables remote and cross-session authentication relay attacks, targeting both machine and user accounts.
🔗 Research:
https://blog.compass-security.com/2024/09/three-headed-potato-dog/
🔗 Source:
https://github.com/sploutchy/impacket/blob/potato/examples/potato.py
#ad #windows #dcom #relay #potato
New research demonstrates how DCOM can coerce Windows systems to authenticate remotely, allowing attackers to relay NTLM or Kerberos authentication to AD CS over HTTP. This enables remote and cross-session authentication relay attacks, targeting both machine and user accounts.
🔗 Research:
https://blog.compass-security.com/2024/09/three-headed-potato-dog/
🔗 Source:
https://github.com/sploutchy/impacket/blob/potato/examples/potato.py
#ad #windows #dcom #relay #potato
❤13👍3
A new vulnerability related to capturing NTLMv2 hashes via Office URI schemes has been discovered. The http:// protocol can be used for attacks such as NTLM relay to a Domain Controller.
Microsoft 365 and Office 2019 versions are vulnerable, as they open remote files without warnings, unlike earlier versions. The exploit involves using a 302 redirect and abusing GPO misconfigurations to capture NTLMv2 hashes over SMB and HTTP.
🔗 Source:
https://github.com/passtheticket/CVE-2024-38200
#windows #office #ntlm #relay
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - passtheticket/CVE-2024-38200: CVE-2024-38200 & CVE-2024-43609 - Microsoft Office NTLMv2 Disclosure Vulnerability
CVE-2024-38200 & CVE-2024-43609 - Microsoft Office NTLMv2 Disclosure Vulnerability - passtheticket/CVE-2024-38200
🔥7👍2❤1
🔔Call and Register — Relay Attack on WinReg RPC Client
A critical vulnerability (CVE-2024-43532) has been identified in Microsoft’s Remote Registry client. This flaw allows attackers to exploit insecure fallback mechanisms in the WinReg client, enabling them to relay authentication details and make unauthorized certificate requests through Active Directory Certificate Services (ADCS).
🔗 Research:
https://www.akamai.com/blog/security-research/winreg-relay-vulnerability
🔗 RPC Visibility Tool:
https://github.com/akamai/akamai-security-research/tree/main/rpc_toolkit/rpc_visibility
🔗 PoC:
https://github.com/akamai/akamai-security-research/tree/main/PoCs/cve-2024-43532
#ad #adcs #rpc #ntlm #relay #etw #advapi
A critical vulnerability (CVE-2024-43532) has been identified in Microsoft’s Remote Registry client. This flaw allows attackers to exploit insecure fallback mechanisms in the WinReg client, enabling them to relay authentication details and make unauthorized certificate requests through Active Directory Certificate Services (ADCS).
🔗 Research:
https://www.akamai.com/blog/security-research/winreg-relay-vulnerability
🔗 RPC Visibility Tool:
https://github.com/akamai/akamai-security-research/tree/main/rpc_toolkit/rpc_visibility
🔗 PoC:
https://github.com/akamai/akamai-security-research/tree/main/PoCs/cve-2024-43532
#ad #adcs #rpc #ntlm #relay #etw #advapi
1🔥9👍6❤2
Forwarded from Ralf Hacker Channel (Ralf Hacker)
NTLM релей в WinRMS, не ждали? А вот...
Blog: https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
Soft: https://github.com/fortra/impacket/pull/1947
#pentest #redteam #relay #ad #lateralmovement
Blog: https://sensepost.com/blog/2025/is-tls-more-secure-the-winrms-case./
Soft: https://github.com/fortra/impacket/pull/1947
#pentest #redteam #relay #ad #lateralmovement
🔥11❤3👍3😁1
Forwarded from Ralf Hacker Channel (Ralf Hacker)
CVE-2025-33073: Reflective Kerberos Relay (LPE)
Blog: https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
Patched: June 10, 2025
Интересная LPE с релеем на себя... Даже CVE есть)
#lpe #ad #relay #pentest #redteam
Blog: https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/
Patched: June 10, 2025
Интересная LPE с релеем на себя... Даже CVE есть)
#lpe #ad #relay #pentest #redteam
RedTeam Pentesting - Blog
A Look in the Mirror - The Reflective Kerberos Relay Attack
It is a sad truth in IT security that some vulnerabilities never quite want to die and time and time again, vulnerabilities that have long been fixed get revived and come right back at you. While researching relay attacks, the bane of Active …
❤8🔥4👍2