Attackers abuse misconfigured Unconstrained Delegation and NTLM reflection/relay to coerce high-value systems into authenticating to attacker-controlled hosts, allowing capture of Kerberos TGTs and escalation from a low-privileged user to full domain compromise without any software zero-day. Effective mitigations include enforcing SMB signing, disabling unconstrained delegation, restricting NTLM, and monitoring Kerberos/DCSync activity. #UnconstrainedDelegation #NTLMRelay
Keypoints
- Unconstrained Delegation can cause high-privileged TGTs to be cached on a compromised host for reuse.
- Disabled SMB signing enables NTLM relay/reflection attacks to succeed without plaintext credentials.
- Coercion techniques like PetitPotam, DFSCoerce, PrinterBug, and MS-EVEN force targets to authenticate to attacker systems.
- Captured TGTs and NTLM hashes enable Pass-the-Ticket, Pass-the-Hash, and DCSync attacks for domain-wide compromise.
- Mitigations include enforcing SMB signing, using constrained delegation, restricting NTLM, disabling unnecessary services, and monitoring Kerberos anomalies.
Read More: https://www.hackingarticles.in/ntlm-reflection-attack/