Relaying NTLMv1/v2 - Tradecraft Security Weekly #14

A very common attack that many networks are vulnerable to is called LLMNR or NBT-NS poisoning. Through this attack it is possible to gain access to a user's NTLMv1 or v2 password hash. A more interesting attack can be carried out under the same premise though. Instead of just obtaining a password hash the user's authenticated session to another host can be exploited to run arbitrary code on the server. In this episode of Tradecraft Security Weekly Beau Bullock (@dafthack) shows how to perform this attack using the PowerShell tool Inveigh.

• #science_technology
• #ntlm_relay
• #responder
• #ntlmv1
• #ntlmv2
• #password_hashes
• #exploitation
• #powershell
• #inveigh
• #tsw