NTLM Relaying: From SMBRelay to Modern Mitigations

  • medeis
  • Thursday, Oct 19, 2023
blog-image

NTLM Relaying: From SMBRelay to Modern Mitigations

NTLM (NT LAN Manager) is a cornerstone in Microsoft’s authentication suite. Yet, it has had its share of vulnerabilities over the years. One of the most infamous is the NTLM relaying exploit. Let’s dive deep into its history, evolution, and how it’s being handled today.

The Dawn: Sir Distic and SMBRelay

Back in the late 1990s, a hacker named Sir Distic introduced the world to a tool called SMBRelay. This exploit targeted Windows machines by capturing and relaying NTLM authentication requests. In essence, it was like taking someone’s “authentication ticket” and using it elsewhere, all without their knowledge. This was the first major call-out on NTLM vulnerabilities, setting the stage for the development of countermeasures.

The Basics of NTLM Relaying

To get a grip on NTLM relaying, let’s first understand some networking basics.

Every time a device on a network wants to communicate with another, it starts a session, somewhat like starting a conversation in the real world. The protocol NTLM (NT LAN Manager) is one such way to introduce oneself in this digital conversation.

NTLM Handshake

Think of NTLM as a digital handshake where Device A says, “Hello, I’m A”, and Device B replies, “I recognize you, A. Let’s talk.”

Now, what if, during this digital handshake, an eavesdropper (let’s call him ‘E’) intervenes? E cunningly takes A’s greeting and introduces himself to a completely different device, Device C, using A’s identity.

NTLM Relaying Scenario

This deception is the essence of NTLM relaying. ‘E’ doesn’t necessarily know A’s secrets or credentials, but by hijacking A’s introduction, he can potentially gain unauthorized access to C, all the while C believes it’s interacting with A. It’s a digital masquerade, a mimicry, and it can lead to unintended access and data leaks.

NTLM Relaying details

Evolution of the Attack

Over the years, the attack method has evolved. The most notable is the shift from SMB (Server Message Block) to other protocols like HTTP. Attackers adapted to different environments and exploited newer services, rendering legacy solutions obsolete.

The Implications of SMB Signing

While SMB Signing acts as a strong mitigation against NTLM relay attacks, it’s not a silver bullet. It ensures that the relayed packets are genuine and haven’t been tampered with. However, there’s a twist.

NTLM Relaying with SMB Signing

If an attacker intercepts these packets, they may not relay them, but they can still analyze them. If weak passwords are in play, attackers can attempt to crack these passwords offline. Essentially, SMB Signing stops the relay but turns the scene into a potential venue for password cracking.

Today’s Mitigations

Modern defenses against NTLM relaying are multi-fold:

  1. Use of SMB Signing: By mandating SMB signing, relay attacks become ineffective as tampering gets detected.
  2. Account Restrictions: Accounts with delegated privileges don’t perform NTLM authentication over the network, minimizing exposure.
  3. Blocking NTLM: Some organizations opt to block NTLM altogether, relying on more secure methods.
  4. Kerberos: As a successor to NTLM, Kerberos offers mutual authentication, meaning both client and server prove their identities to each other. This mutual authentication makes relaying attacks considerably more difficult.
  5. Enhanced Protection for Authentication (EPA): This ensures that relayed credentials are valid only for the originally intended server.

But the most effective defense? Awareness. Knowing the risks, staying updated on latest threat vectors, and employing best practices can keep your systems safe.

Why Should You Care?

NTLM relaying isn’t just an IT headache; it’s a business risk. Unauthorized access could mean data theft, business disruption, or worse. If you’re concerned about the security posture of your organization, consider a professional penetration test. A pen-test can uncover hidden vulnerabilities and provide actionable insights to bolster security.

Need a penetration test? We’re experts in uncovering vulnerabilities and ensuring your defenses are rock solid. Contact us for top-notch services.

From SMBRelay’s inception to today’s sophisticated defenses, NTLM relaying has been a captivating topic in the security realm. Stay vigilant, stay informed, and always prioritize your digital safety.