TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Bypass NTLM Message Integrity Check – Drop the MIC

BHIS · 2024-02-01 · Read original ↗

ATT&CK techniques detected

10 predictions
T1557.001Name Resolution Poisoning and SMB Relay
95%
". ntlmrelayx. py \ - t ldaps : / / 10. 10. 10. 1 \ - wh [ email protected ] \ - - add - computer ' snowmachine2 ' < password > \ - - remove - mic \ - smb2support next, we will configure responder to poison llmnr and netbios traffic and automatically pass the ntlm authentication t…"
T1557.001Name Resolution Poisoning and SMB Relay
94%
"in the figure below, we received a connection via smb. however, attempting to relay smb to ldap resulted in the following error : “ [! ] the client requested signing. relaying to ldap will not work! ( this usually happens when relaying from smb to ldap ). ” this behavior is expec…"
T1557.001Name Resolution Poisoning and SMB Relay
85%
"##quota attribute and disallow non - administrative computer joins to the domain network poisoning and relay attacks : - enable smb signing on all systems - disable llmnr on all clients via group policy object ( gpo ) - disable netbios name server ( nbns ) - disable the proxy aut…"
T1557.001Name Resolution Poisoning and SMB Relay
74%
"configurations, group policies, endpoint protection applied. additionally, the process should update the organization ’ s device inventory. message integrity imagine we have gained a foothold in the target organization foobar ’ s environment. ldap is only available on domain cont…"
T1558.001Golden Ticket
72%
"successfully created a computer object with delegation rights to dc02. our new computer account, dcmachine $ was created with privileges that allow the account to impersonate any user on the domain controller dc02, essentially any domain account including a domain admin. let ’ s …"
T1557.001Name Resolution Poisoning and SMB Relay
71%
"##e - 2019 - 1040 once again, let ’ s imagine we have gained a foothold in the target organization foobar ’ s environment. at this point, we have network level access, and we located the target domain controller dc01. foobar. com ( 10. 10. 10. 1 ). to provide a brief initial atta…"
T1557.001Name Resolution Poisoning and SMB Relay
40%
"dan ' @ dc02. foobar. com to summarize, we successfully escalate privileges from network access to domain administrator via two relay attacks. each attack relayed an incoming smb connection to an ldaps connection, which was possible because the target systems were not patched aga…"
T1550.003Pass the Ticket
35%
"10. 22 ) to authenticate to our attacker machine. - relay the hash obtained from the domain controller to ldaps on target domain controller dc01 ( 10. 10. 10. 1 ) and create another domain object with delegation rights to dc02. - use the new computer object to request a service t…"
T1558Steal or Forge Kerberos Tickets
32%
"successfully created a computer object with delegation rights to dc02. our new computer account, dcmachine $ was created with privileges that allow the account to impersonate any user on the domain controller dc02, essentially any domain account including a domain admin. let ’ s …"
T1557.001Name Resolution Poisoning and SMB Relay
31%
"the domain credentials obtained from our new computer account snowmachine2 $, we can use coercer to force the victim machine ( dc02 ) to authenticate to the attacker host ( 10. 10. 10. 200 ). * * side note : in some cases, a relay attack may not require domain credentials. for ex…"

Summary

In An SMB Relay Race – How To Exploit LLMNR and SMB Message Signing for Fun and Profit, Jordan Drysdale shared the dangers of lack of SMB Signing requirements and […]

The post Bypass NTLM Message Integrity Check – Drop the MIC appeared first on Black Hills Information Security, Inc..