Offensive Security: Understanding NTLM Relaying Attack

Active Directory Certificate Services

Active Directory Certificate Services (AD CS) presents various security risks for organizations. These encompass issues like mismanaged certificates causing communication disruptions, compromised keys leading to unauthorized access and data decryption, vulnerabilities arising from weak encryption configurations, potential man-in-the-middle attacks exploiting certificate issuance, unauthorized users abusing lax access controls for nefarious certificate requests, risks tied to insecure certificate templates, credential theft from compromised components, denial of service attacks hampering certificate services and misconfigured permissions permitting unauthorized access.

Additional Active Directory security articles here.

What is an NTLM relay attack?

An NTLM relay attack is a type of man-in-the-middle exploit where an attacker intercepts and forwards NTLM authentication messages between a client and server. By relaying these messages, the attacker can impersonate the client, gaining unauthorized access to network services and resources without needing the user’s credentials.

Exploiting the Vulnerability

The attack shown below utilizes the man-in-the-middle portion and loops in another vulnerability known publicly as “PetitPotam. PetitPotam is a security flaw that impacts Windows systems leveraging the Microsoft Windows RPCSS service. Exploiting this vulnerability involves coercing the system into initiating a remote NTLM authentication exchange to a chosen target.

By combining these attack methods, an attacker can coerce a domain controller account to authenticate to their machine then reflect the credential to an identified certificate authority. If the certificate authority has web enrollment services enabled, they in turn receive a certificate for the domain controller’s machine account.

Attack Path

As shown below in Figure 1, the attack starts by obtaining access to a domain credential, followed by identifying a certificate authority using web enrollment services. Ntlmrelayx is then started, pointing at the certificate authority using the “DomainConroller” template and “adcs” flag.

With ntlmrelayx patiently waiting for a machine to authenticate to it, PetitPotam is then launched using the compromised credential, which in this case is “testmctesty”. The attack is successful. (Figure 2)

Going back to ntlmrelayx we now see a Base64 certificate for the domain controller’s machine account. (Figure 3)

We decode the Base64 certificate and preserve it as a private key. Utilizing this newly acquired private key, we proceed to request a TGT file. A TGT, acquired from Kerberos upon successful authentication, empowers us to solicit supplementary tickets known as service tickets. These service tickets bestow access to particular resources or services, all without necessitating the user to furnish their credentials repeatedly. (Figure 4)

With the TGT in hand we search for a privileged account throughout the domain. With a target account we request a service ticket that is valid on the host for which you’ve obtained a certificate. (Figure 5)

Upon successfully obtaining a certificate for the host, which incidentally operates as a domain controller, we gain the means to actively compromise the entire domain. Subsequently, we can advance to secure the domain’s NTDS.dit file, which centrally stores the NTLM hashed passwords for all accounts within the domain. (Figure 6)