10:15 - 11:00
"NTLM relay attacks have been around for more than a decade. The oldest attack method is SMB Relay, which can be traced back to a security tool released by Sir Dystic in 2001, it needs to be emphasized that it's independent of application layer protocol (such as SMB). In fact, it's a security issue in the NT-LAN-Manager authentication protocol.
As we all know, there are two ways to implement NTLN relay attack.
1. Relay credential to the victim machine (Credential Reflection), Microsoft released MS08-068 patch for this vulnerability.
2. Relay credential to another host (Credential Relay), that is a currently widely-used attack method. Unfortunately, there are no specific patches available.
In this talk, we will first review the history of NTLM relay attacks. After that, we will introduce a new attack method and the principle of this vulnerability, that can bypass the patch of MS08-068 and implement the credential reflection attack by relaying The Net-NTLM hash to the machine itself, also the effect of RCE（Remote Code Execution) can be achieved. In the end, we will release an automated exploit tool for this vulnerability."
Operating System Security