Relay attacks

The article will talk about what Relay attacks exist today and how to reproduce them, what basic tools can be used to carry out these attacks in penetration testing, and will also consider the Relay attack on Active Directory.

What is Relay

Relay . "Relay attacks", , 20 . Relay . . , , , . , .

, "" , . — MitM. , Relay.

Relay ? . , . , — , , . .

Relay , , , . , . , , , , . Relay , NFS, .. Relay , Windows AD.

Windows AD

Relay Windows AD , . , SSO. . "" SSO, , "". , , .

Relay Windows AD , :

• Relay — ,

  
  
  
  
  

• Relay — Rouge Potato, Relay Potato

  
  
  
  
  

, .

Relay — :

• . SMB, HTTP , LDAP .

  
  
  
  
  

• 
  
  
  
  

, :

• impacket

  
  
  
  
  

• responder

  
  
  
  
  

• mitm6

  
  
  
  
  

• bettercap

  
  
  
  
  

• Rouge Potato

  
  
  
  
  

• Remote Potato

  
  
  
  
  

• StreamDivert

  
  
  
  
  

, . NTLM . , — NTLM Challenge. ( ).

: SMB->SMB,HTTP/HTTPs, LDAP/LDAPs, MSSQL, POP3, IMAP/s, SMTP.

:

. HTTP - . ARP Cache Poison. bettercap :

set arp.spoof.targets 192.168.56.15
set arp.spoof.internal true
arp.ban on
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

, , . ntlmrelayx



impacket



:

python3 ntlmrelayx.py -t smb://192.168.56.25 -smb2support -socks
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

ntlmrelayx



.

— , .

Rouge Potato — . DCOM — OXID Resolver named pipes



"NETWORK SERVICE" "SYSTEM".

RougePotato. , Relay . .

Remote Potato — Remote Potato, DCOM ResolveOxid2. , IXOD Resolver.

, Relay , . , Active Directory NTLM .

---

«. ». , .