Beyond the MCSE Red Teaming Active Directory
DEFCON-24-Sean-Metcalf-Beyond-The-MCSE-Red-Teaming-Active-Directory
DEFCON-24-Sean-Metcalf-Beyond-The-MCSE-Red-Teaming-Active-Directory
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
NTLM Au<strong>the</strong>ntication<br />
• Most aren’t restricting NTLM auth.<br />
• Still using NTLMv1!<br />
• NTLM Attacks:<br />
• SMB Relay - simulate SMB server or relay to<br />
attacker system.<br />
• Intranet HTTP NTLM auth – Relay to Rogue<br />
Server<br />
• NBNS/LLMNR – respond to NetBIOS broadcasts<br />
• HTTP -> SMB NTLM Relay<br />
• WPAD (network proxy)<br />
• ZackAttack<br />
• Pass <strong>the</strong> Hash (PtH)<br />
| @PryoTek3 | sean @ adsecurity.org |