How We Bypassed All NTLM Relay Mitigations — And How To Ensure You’re Protected
Active Directory has always been a popular target for attackers — and one of the weakest spots in Active Directory environments lies in the design of one of the oldest authentication protocols, NTLM. From CVE-2015-0005 to the recent LDAPS Relay vulnerability, it is clear why this protocol is one of attackers’ favorites. Although there are mitigations such as server signing, protecting the entire domain from NTLM relay is virtually impossible.
In an encore presentation of one of Black Hat 2019’s and DEFCON27’s most popular talks, members of our research team will:
- Alert you to several new ways to abuse NTLM, including a critical zero-day vulnerability we have discovered which enables attackers to perform NTLM Relay and take over any machine in the domain, even with the strictest security configuration, while bypassing all of today’s offered mitigations.
- Tell you why the risks of this protocol are not limited to the boundaries of the on-premises environment, and show another vulnerability which allows to bypass various AD-FS restrictions in order to take over cloud resources as well.