https://wiki.owasp.org/index.php?action=history&feed=atom&title=AppSecEU08_NTLM_Relay_AttacksAppSecEU08 NTLM Relay Attacks - Revision history2026-04-27T03:36:11ZRevision history for this page on the wikiMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=AppSecEU08_NTLM_Relay_Attacks&diff=28223&oldid=prevErachner at 03:29, 21 April 20082008-04-21T03:29:05Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 03:29, 21 April 2008</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1" >Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>'''NTLM Relay Attacks'''</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>'''NTLM Relay Attacks'''</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>NTLM relay attacks have been around for years. Since 2001, in fact. Until now, every implementation of this attack has been SMB-based, using it to access the victim’s hidden c$ file share.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>NTLM relay attacks have been around for years. Since 2001, in fact. Until now, every implementation of this attack has been SMB-based, using it to access the victim’s hidden c$ file share<ins class="diffchange diffchange-inline">.  But NTLM relay attacks can be launched against any protocol that uses NTLM authentication. Besides SMB, that includes more or less every Microsoft enterprise software product, and more or less every third-party app ever to leverage Windows Integrated Authentication</ins>.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">But NTLM relay attacks can be launched against any protocol that uses NTLM authentication. Besides SMB, that includes more or less every Microsoft enterprise software product, and more or less every third-party app ever to leverage Windows Integrated Auth. </del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">In the simplest scenario</del>, whenever an Active Directory domain user authenticates to a web server in a Windows enterprise environment, that web server's operator can then access <del class="diffchange diffchange-inline">'</del>''arbitrary network resources<del class="diffchange diffchange-inline">'</del>'' as the victim.  </div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">Simply put</ins>, whenever an Active Directory domain user authenticates to a web server in a Windows enterprise environment, that web server's operator can then access ''arbitrary network resources'' as the victim.  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Although people have been exploiting this problem for seven years, nobody has paid much attention to the fact that it can also be used to access HTTP-based resources until now.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>In this talk, Eric Rachner will demonstrate Scurvy, a new tool for launching NTLM relay attacks.  The underlying mechanics of NTLM relay attacks will also be discussed, along with mitigation options.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">Although this vulnerability has been exploitable for over seven years, nobody has paid much attention to the fact that it can also be used to access HTTP-based resources -- until now.  </ins>In this talk, Eric Rachner will demonstrate Scurvy, a new tool for launching NTLM relay attacks.  The underlying mechanics of NTLM relay attacks will also be discussed, along with mitigation options.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">'''About the Speaker:''' Eric Rachner is an independent security consultant, researcher, and enthusiast specializing in security analysis, vulnerability assessment, and penetration testing of network applications and systems.  He began his career at Microsoft in 1994, where in 2002 he helped Microsoft start the Application Consulting Engineering (ACE) team.  As a senior member of the ACE team, he led efforts such as application penetration testing, code reviews, design reviews and security awareness training for internal application teams throughout Microsoft's global IT organization. Also during this time, he wrote the feature article for the August 2004 issue of asp.net PRO Magazine on the subject of the attack technique that has since become known as Cross-Site Request Forgery. </del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>In 2005, Eric left Microsoft to pursue an independent career <del class="diffchange diffchange-inline">as a security consultant </del>providing services to large global enterprises in North America and Europe. Outside of the office, his hobbies include motorsports and yet still more IT security activity; he was also a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con in 1999, 2000, and 2001.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">'''About the Speaker:''' Eric Rachner is an independent security consultant, researcher, and enthusiast specializing in security analysis and penetration testing of network applications and systems.  He began his career at Microsoft in 1994, where in 2002 he helped Microsoft start the Application Consulting Engineering (ACE) team, leading efforts such as application penetration testing, code reviews, design reviews of applications throughout Microsoft's global IT organization. </ins>In 2005, Eric left Microsoft to pursue an independent career<ins class="diffchange diffchange-inline">, </ins>providing services to large global enterprises in North America and Europe. Outside of the office, his hobbies include motorsports and yet still more IT security activity; he was also a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con in 1999, 2000, and 2001.</div></td></tr>
</table>Erachnerhttps://wiki.owasp.org/index.php?title=AppSecEU08_NTLM_Relay_Attacks&diff=28222&oldid=prevErachner: New page: '''NTLM Relay Attacks''' NTLM relay attacks have been around for years. Since 2001, in fact. Until now, every implementation of this attack has been SMB-based, using it to access the vict...2008-04-21T03:21:57Z<p>New page: '''NTLM Relay Attacks''' NTLM relay attacks have been around for years. Since 2001, in fact. Until now, every implementation of this attack has been SMB-based, using it to access the vict...</p>
<p><b>New page</b></p><div>'''NTLM Relay Attacks'''<br />
<br />
NTLM relay attacks have been around for years. Since 2001, in fact. Until now, every implementation of this attack has been SMB-based, using it to access the victim’s hidden c$ file share.<br />
<br />
But NTLM relay attacks can be launched against any protocol that uses NTLM authentication. Besides SMB, that includes more or less every Microsoft enterprise software product, and more or less every third-party app ever to leverage Windows Integrated Auth. <br />
<br />
In the simplest scenario, whenever an Active Directory domain user authenticates to a web server in a Windows enterprise environment, that web server's operator can then access '''arbitrary network resources''' as the victim. <br />
<br />
Although people have been exploiting this problem for seven years, nobody has paid much attention to the fact that it can also be used to access HTTP-based resources until now.<br />
<br />
In this talk, Eric Rachner will demonstrate Scurvy, a new tool for launching NTLM relay attacks. The underlying mechanics of NTLM relay attacks will also be discussed, along with mitigation options.<br />
<br />
'''About the Speaker:''' Eric Rachner is an independent security consultant, researcher, and enthusiast specializing in security analysis, vulnerability assessment, and penetration testing of network applications and systems. He began his career at Microsoft in 1994, where in 2002 he helped Microsoft start the Application Consulting Engineering (ACE) team. As a senior member of the ACE team, he led efforts such as application penetration testing, code reviews, design reviews and security awareness training for internal application teams throughout Microsoft's global IT organization. Also during this time, he wrote the feature article for the August 2004 issue of asp.net PRO Magazine on the subject of the attack technique that has since become known as Cross-Site Request Forgery. <br />
<br />
In 2005, Eric left Microsoft to pursue an independent career as a security consultant providing services to large global enterprises in North America and Europe. Outside of the office, his hobbies include motorsports and yet still more IT security activity; he was also a core member of the hacking team that won the prestigious "Capture the Flag" contest at Def Con in 1999, 2000, and 2001.</div>Erachner