Tradecraft Security WeeklySubscribe
Identity

Relaying NTLMv1/v2 – Tradecraft Security Weekly #14

A very common attack that many networks are vulnerable to is called LLMNR or NBT-NS poisoning. Through this attack it is possible to gain access to a user's NTLMv1 or v2 password hash. A more interesting attack can be carried out under the same premise though. Instead of just obtaining a password hash the user's authenticated session to another host can be exploited to run arbitrary code on the server. In this episode of Tradecraft Security Weekly Beau Bullock (@dafthack) shows how to perform this attack using the PowerShell tool Inveigh.

LINKS: Inveigh Nmap SMB-Signing Discovery byt3bl33der blog post SANS blog post LLMNR & NBT-NS Blog Post Responder Multi-Relay Impacket SMBRelayx Metasploit SMB_Relay Module

[audio src="http://traffic.libsyn.com/tswaudio/Relaying_NTLMv1_v2_-_Tradecraft_Security_Weekly_14_converted.mp3"]

Related

South Korean defense firms subjected to North Korean APT attacks

North Korean state-sponsored advanced persistent threat operations Lazarus Group, Kimsuky, and Andariel were noted by South Korea's National Police Agency to have targeted several South Korean defense industry entities since late 2022 in a bid to obtain intelligence regarding defense technologies, reports Security Affairs.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.