Relay Attacks and NTLM Authentication Practice

0.0(0)
Studied by 0 people
call kaiCall Kai
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/15

flashcard set

Earn XP

Description and Tags

Vocabulary and key concepts regarding NTLM relay attacks, authentication coercion methods, and SMB signing defenses.

Last updated 12:29 AM on 5/22/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai

No analytics yet

Send a link to your students to track their progress

16 Terms

1
New cards

Relay attacks

A technique used to redirect authentication from one source to another, tricking a system like Device A into authenticating to an attacker-owned machine so the authentication can be relayed to a target like Device B.

2
New cards

PetitPotam

A novel means of forcing a client to authenticate by taking advantage of Microsoft Encryption File System Remote Protocol (MS-EFSRPC) to convince a victim to authenticate over MS-LSARPC on port 445445.

3
New cards

DFSCoerce

A newer exploitation released in 20222022 by Wh04m1001 that uses Microsoft Distributed File System Namespace Management (MS-DFSNM) to force a DC to authenticate against an NTLM relay.

4
New cards

MS-EFSRPC

Microsoft Encryption File System Remote Protocol.

5
New cards

MS-LSARPC

Microsoft Local Security Authority Remote Procedure Call.

6
New cards

MS-DFSNM

Microsoft Distributed File System Namespace Management.

7
New cards

SMB signing

A security mechanism that ensures the integrity and authenticity of SMB traffic by signing each message using a session key derived during NTLM or Kerberos authentication.

8
New cards

Session key

A shared key derived between the client and server during authentication to sign SMB messages; it is created when the user authenticates to a specific server rather than the entire domain.

9
New cards

LDAP relay

An attack that remains possible in some environments because LDAP signing is often not enforced by default, even if SMB signing is active.

10
New cards

Enabled Policy (SMB Signing)

A group policy setting where the machine will refuse unsigned SMB sessions.

11
New cards

Disabled Policy (SMB Signing)

A group policy setting where the machine will allow unsigned SMB sessions.

12
New cards

Microsoft network client: Digitally sign communications (always)

A policy that forces the system to require SMB message signing for all outgoing SMB connections to prevent NTLM relay and MITM attacks.

13
New cards

SMB Ports

Typically includes ports 135135, 137137, 139139, and 445445 when SMB is enabled.

14
New cards

SweetPotato

A collection of various native Windows privilege escalation techniques used to move from service accounts to SYSTEM, associated with CVE-201910402019-1040.

15
New cards

PrinterBug

An NTLM authentication coercion attack that involves MS-RPRN abuse.

16
New cards

Mitm6

A tool used in conjunction with ntlmrelayx to relay NTLM authentication to LDAP to obtain hashes.