We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Relaying Credentials has Never Been Easier: How to easily bypass the latest NTLM Relay Mitigations

30
 Zitieren
 Teilen
 Herunterladen
 Bestellen
Kein Logo verfügbarDEF CON
 Simakov, Marina Zinar, Yaron

Formale Metadaten

Titel
Relaying Credentials has Never Been Easier: How to easily bypass the latest NTLM Relay Mitigations
Serientitel
Anzahl der Teile
335
Autor
Lizenz
CC-Namensnennung 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
Active Directory has always been a popular target for attackers, with a constant rise in attack tools attempting to compromise and abuse the main secrets storage of the organization. One of the weakest spots in Active Directory environments lies in the design of one of the oldest authentication protocols – NTLM, which is a constant source of newly discovered vulnerabilities. From CVE-2015-0005, to the recent LDAPS Relay vulnerability, it is clear why this protocol is one of the attackers’ favorites. Although there are offered mitigations such as server signing, protecting the entire domain from NTLM relay is virtually impossible. If it weren’t bad enough already, we will present several new ways to abuse this infamous authentication protocol, including a new critical zero-day vulnerability we have discovered which enables to perform NTLM Relay and take over any machine in the domain, even with the strictest security configuration, while bypassing all of today's offered mitigations. Furthermore, we will present why the risks of this protocol are not limited to the boundaries of the on-premises environment and show another vulnerability which allows to bypass various AD-FS restrictions in order to take over cloud resources as well. Marina Simakov Marina Simakov is a security researcher at Preempt, with a special interest in network security and authentication protocols. Prior to Preempt, Marina served as a Security Researcher at Microsoft for several years. She holds an M.Sc. in computer science, with several published articles, with a main area of expertise in graph theory. Marina previously spoke at various security conferences such as Black Hat, BlueHat IL and DEF CON. Yaron Zinar Yaron Zinar is a Lead Security Researcher at Preempt, delivering the industry’s first Identity and Access Threat Prevention. Previously, Yaron spent over 12 years at leading companies such as Google and Microsoft where he held various positions researching and leading big data, machine learning and cyber security projects. Yaron is an expert on Windows Authentication protocols, among his team latest finding are CVE-2017-8563 and CVE-2018-0886, which he presented in Black Hat last year. Yaron holds an M.Sc. in Computer Science with focus on statistical analysis.