NTLM relay attacks explained, and why PetitPotam is the most dangerous

Source
Advertisement


Microsoft Active Directory (AD), which handles identity management, reportedly holds 90% to 95% market share among fortune 500 companies. Given such broad adoption, it is no surprise that it is so heavily targeted by malicious actors and researchers alike. Among the most cited types of attacks against AD are legacy protocols. One such protocol that receives a lot of focus from attackers is NT LAN Manager (NTLM).

NTLM has been around for over 20 years. It is used for authentication in early Windows systems, leading up to Windows 2000. It uses a challenge-response mechanism to authenticate clients. While many organizations have shifted to Kerberos, many legacy systems and applications still support or use NTLM.

Advertisement