AppSecEU08 NTLM Relay Attacks

NTLM Relay Attacks

NTLM relay attacks have been around for years. Since 2001, in fact. Until now, every implementation of this attack has been SMB-based, using it to access the victim’s hidden c$ file share.

But NTLM relay attacks can be launched against any protocol that uses NTLM authentication. Besides SMB, that includes more or less every Microsoft enterprise software product, and more or less every third-party app ever to leverage Windows Integrated Auth.

In the simplest scenario, whenever an Active Directory domain user authenticates to a web server in a Windows enterprise environment, that web server's operator can then access arbitrary network resources as the victim.

Although people have been exploiting this problem for seven years, nobody has paid much attention to the fact that it can also be used to access HTTP-based resources until now.

In this talk, Eric Rachner will demonstrate Scurvy, a new tool for launching NTLM relay attacks. The underlying mechanics of NTLM relay attacks will also be discussed, along with mitigation options.

About the Speaker: Eric Rachner is an independent security consultant, researcher, and enthusiast specializing in security analysis, vulnerability assessment, and penetration testing of network applications and systems. He began his career at Microsoft in 1994, where in 2002 he helped Microsoft start the Application Consulting Engineering (ACE) team. As a senior member of the ACE team, he led efforts such as application penetration testing, code reviews, design reviews and security awareness training for internal application teams throughout Microsoft's global IT organization. Also during this time, he wrote the feature article for the August 2004 issue of asp.net PRO Magazine on the subject of the attack technique that has since become known as Cross-Site Request Forgery.

In 2005, Eric left Microsoft to pursue an independent career as a security consultant providing services to large global enterprises in North America and Europe. Outside of the office, his hobbies include motorsports and yet still more IT security activity; he was also a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con in 1999, 2000, and 2001.