NTLM Relay Is Dead, Long Live NTLM Relay

Explore the intricacies of NTLM Relay attacks in this 48-minute conference talk from the Hack In The Box Security Conference. Delve into the fundamentals of NTLM, including its message structure and protocols. Examine various attack techniques such as SMB Reflect Attack and Hot Potato. Investigate how NTLM Relay affects modern browsers, focusing on NTLMSSP over HTTP and Intranet Zone settings. Analyze the implementation differences between Windows 7 and Windows 10, and discover new attack surfaces in Chrome. Learn about the resurgence of SMB Reflection Attacks and understand Java's role in NTLM authentication. Gain insights into real-world cases and effective defense strategies against NTLM Relay attacks.

Intro
Speaker Bio
Abstract
What is NTLM
message (negotiation)
message (challenge)
message (authentication)
Protocols using NTLMSSP
Windows Name Resolution
SMB Reflect Attack
Hot Potato (win7)
Relay to another machine
Relay credentials to Microsoft Exchange Server
Modern Browsers
NTLMSSP over http
Intranet Zone
Internet Explorer API
What is Policy and Zone ?
Feature on WIN7 and WIN10 • write a simple program for testing
Implementation in the browser
Another attack surface in Chrome
SMB Reflection Attack Rebirth
When can Java send HTTP request?
Why Java can automatically NTLM authentication?
How to reflect the credentials to SMB?
A real-world case
How to defend against NTLM Relay?
Acknowledgement