BIPI
BIPI

NTLM Relay Attacks in 2024: SMB, LDAP, HTTP, and EPA Bypasses

Cybersecurity

NTLM relay remains the most reliable internal pivot in AD networks. A practical breakdown of SMB, LDAP, and HTTP relay paths, signing, channel binding, and EPA realities.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 27, 2024 · 12 min read

#ntlm#active-directory#relay#pentest

If Kerberoasting is the cheapest path to credential material, NTLM relay is the cheapest path to a session. The protocol allows an attacker who can coerce or intercept authentication to forward the challenge-response handshake to a different server and authenticate as the victim. Two decades after the original Microsoft advisory, it still works on almost every internal we run.

The coercion layer

A relay attack starts by making a target machine authenticate to you. Several built-in RPC methods will happily do that without authentication or with minimal privileges.

  • PetitPotam (MS-EFSRPC EfsRpcOpenFileRaw) against unpatched DCs and file servers
  • PrinterBug (MS-RPRN RpcRemoteFindFirstPrinterChangeNotificationEx) against the Print Spooler
  • DFSCoerce (MS-DFSNM NetrDfsRemoveStdRoot) against domain controllers
  • ShadowCoerce (MS-FSRVP) where the File Server VSS Agent Service is installed
  • WebDAV trigger via UNC path injection in shared documents

The relay layer

ntlmrelayx from impacket is the workhorse. The protocol you relay to dictates what you can do.

  1. Relay to SMB: file read, secretsdump, command execution if signing is off
  2. Relay to LDAP: add a computer account, set msDS-AllowedToActOnBehalfOfOtherIdentity, RBCD takeover
  3. Relay to LDAPS or LDAP with sign and seal: requires channel binding bypass, mitigated by EPA
  4. Relay to HTTP: pivot to ADCS web enrollment for ESC8, or to Exchange EWS for mailbox takeover
  5. Relay to MSSQL: xp_cmdshell or impersonation if the relayed identity has sysadmin

ESC8: The ADCS web enrollment relay

If Certificate Services has the Web Enrollment role enabled over HTTP, coerce a DC, relay to /certsrv/certfnsh.asp, request a certificate as the DC, and now you have a Kerberos-capable identity that maps to a domain controller. The result is DCSync. This is the single highest-impact relay path in modern AD and remains widely exploitable.

Command shape: ntlmrelayx.py -t http://ca.corp.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController, then PetitPotam against the DC.

Signing, EPA, and channel binding

SMB signing required on the destination kills SMB relay. LDAP signing required kills LDAP relay over the unencrypted channel. LDAP channel binding (EPA) kills LDAPS relay. These three settings, applied universally, would eliminate the bulk of relay attacks. In practice, we still find them off.

  • EnforceChannelBinding under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters set to 2
  • LdapEnforceChannelBinding via the LDAP server signing requirements GPO
  • RequireSecuritySignature = 1 on all SMB servers, not just DCs
  • ExtendedProtection on every IIS site that performs Windows authentication

Bypassing EPA on HTTP

EPA on HTTP relies on channel binding tokens derived from the TLS endpoint. Attackers can sometimes downgrade to HTTP, strip TLS, or target endpoints with EPA misconfigured to None or Accept. Coerced authentication via WebDAV may also bypass EPA depending on the client. Treat EPA as defence in depth, not a guarantee.

If your CA has Web Enrollment over HTTP and your DCs are reachable from a low-privileged host, you are one PetitPotam away from DCSync.

Detection

Look for 4624 logons where the source workstation name does not match the source IP, NTLM authentications to DCs from non-domain-joined hosts, and burst patterns of MS-EFSRPC or MS-RPRN traffic. Defender for Identity catches the obvious cases. Most custom SIEMs do not.

Remediation checklist

  1. Disable NTLM where possible, audit with Restrict NTLM auditing GPOs before enforcing.
  2. SMB signing required everywhere, including workstations.
  3. LDAP signing and channel binding enforced on all DCs.
  4. Remove the Web Enrollment role from any CA, or front it with strict client cert auth.
  5. Patch and audit PrintNightmare, PetitPotam, and DFSCoerce mitigations. They overlap but do not subsume each other.
  6. Block outbound SMB and WebDAV from workstation VLANs to break coercion callbacks.

Relay is not a vulnerability in a single product. It is a property of a protocol you have not yet retired. Until NTLM is fully disabled, the controls above are not optional.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.