Relaying Credentials Has Never Been Easier: How to Easily Bypass the Latest NTLM Relay Mitigations

Conference:  Defcon 27



Active Directory has always been a popular target for attackers, with a constant rise in attack tools attempting to compromise and abuse the main secrets storage of the organization. One of the weakest spots in Active Directory environments lies in the design of one of the oldest authentication protocols – NTLM, which is a constant source of newly discovered vulnerabilities. From CVE-2015-0005, to the recent LDAPS Relay vulnerability, it is clear why this protocol is one of the attackers’ favorites. Although there are offered mitigations such as server signing, protecting the entire domain from NTLM relay is virtually impossible. If it weren’t bad enough already, we will present several new ways to abuse this infamous authentication protocol, including a new critical zero-day vulnerability we have discovered which enables to perform NTLM Relay and take over any machine in the domain, even with the strictest security configuration, while bypassing all of today's offered mitigations. Furthermore, we will present why the risks of this protocol are not limited to the boundaries of the on-premises environment and show another vulnerability which allows to bypass various AD-FS restrictions in order to take over cloud resources as well.