Relay attacks

The article will talk about what Relay attacks exist today and how to reproduce them, what basic tools can be used to carry out these attacks in penetration testing, and will also consider the Relay attack on Active Directory.

What is Relay

Relay attacks have been around for a long time. If you enter “Relay attacks” into a search engine, you will find many pages that were created about 20 years ago. In the computer literature, the term Relay is used to refer to the process of retransmitting data. In this process, the information to be repeated is simply sent to the specified address. The one who communicates the information does not have to parse it semantically or structurally, he is just an intermediary. The definition is quite simple, but the implementation is sometimes fraught with a lot of features and limitations.

The main condition for carrying out an attack is that the attacker must be in the middle of the connection before starting the “repetition”, that is, control or at least observe the information transfer process. There is a separate term for this condition – MitM. In fact, this is another attack that is used to launch Relay.

Why do Relay attacks exist and where are they used? Any information system must regulate the rules for the safe transfer of information between participants in the exchange. The rules should include both data protection against leakage and rules for delimiting access to information between system participants. The first task in systems is usually solved using cryptographic methods of transformation, and the second – through the use of special identifiers, which within the system have unique characteristics and allow you to identify the credentials of the user who owns the identifier. Very often, these identifiers are used to implement cryptographic mechanisms.

Relay attack involves simply the process of repeating data transmission, that is, its pattern is well suited to influence the state of systems, even without having direct access to them. This is especially true if the system uses cryptographic protection methods. However, if the attack is applied correctly, then it is possible to gain access to the system, launch data processing mechanisms, and cause problems in the functioning of systems. There are known examples of successful Relay attacks on corporate access control systems, NFS systems, etc. In this article, we will focus on Relay attacks that are applicable to systems running Windows AD.

Windows AD

Relay attacks on Windows AD have been around for almost as long as the system itself. The possibility of their implementation exists because the system uses its own mechanism. SSO… This mechanism allows users to access system resources. With the correct “direction” of requests to gain access to a resource through SSO, an attacker can gain access to the resource on behalf of the user whom he “sent”. In this case, the attacker will not need to know any credentials or identifiers that are used in the system.

There is no official systematization when describing Relay attacks on Windows AD, so we will use the following classification:

  • Classic Relay attacks – data is sent only over the network, without additional host processing

  • Hybrid Relay Attacks – Rouge Potato, Relay Potato

Let’s try to figure out what each attack is.

Attacks and tools

Classic Relay attacks – for the attack to work, you need:

  • Scan the network and get a list of services. We need shared directories via SMB, HTTP server, LDAP server.

  • Set up a listener for local connections or attack the routing of data on the network

A set of tools that you can use:

The success of the attack depends on how the services listed above are configured. All tools are tailored for use with an authorization scheme through the NTLM protocol. Thus, the main task of carrying out an attack is to repeat the NTLM Challenge exchange procedure. (Will not work when using the request signing procedure).

Possible attack vectors: SMB-> SMB, HTTP / HTTPs, LDAP / LDAPs, MSSQL, POP3, IMAP / s, SMTP.

Attack scenario:

The user system contains no known vulnerabilities. The user periodically uses the HTTP web server and file exchanger. The attacker conducts an ARP Cache Poison attack. In bettercap, you can run the command like this:

set arp.spoof.targets 192.168.56.15
set arp.spoof.internal true
arp.ban on

As a result, all requests sent by the user’s machine pass data through the attacker’s machine. You can run the tool ntlmrelayx from a set of scripts impacket and wait for a request to the exchanger:

python3 ntlmrelayx.py -t smb://192.168.56.25 -smb2support -socks

As a result, we will have a command line ntlmrelayx and it is possible to dump data and send commands to the target system on behalf of the user.

Hybrid attacks are a modified version of attacks that allows additional OS mechanisms to be used to control the authorization procedure.

Rouge Potato – This attack uses security descriptor delegation techniques. To carry out the attack, the DCOM mechanism is used – OXID Resolver requests to it are wrapped through named pipes and as a result, the attacker is able to run commands in the system on behalf of the “NETWORK SERVICE” user; in the future, the token can be upgraded to the “SYSTEM” token.

The attack can be carried out using the RougePotato tool. The tool is used to elevate privileges in the system, that is, Relay occurs only at the level of OS mechanisms. It will not be possible to carry out this attack without at least minimal access to the OS command line.

Remote Potato is a modification of the Remote Potato attack, which bypasses the mechanism of prohibiting requests for data from a resource without authorization through the DCOM mechanism of ResolveOxid2. For this attack, it is also necessary to have minimal access to the system, since during the token request procedure, the service is called through the local IXOD Resolver.

Conclusion

Despite the fact that Relay attacks have been known for a long time, at the moment they are still relevant for information systems. In particular, it is recommended that Active Directory security administrators enable NTLM protocol request signature to avoid system compromise using this method.


The article was prepared by Alexander Kolesnikov as part of the course “Pentest. Penetration Testing Practice “… If you are interested in learning more about the format and program of training, we invite you to Open Day online.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *