2022-07-06, 14:55–15:15 (Europe/Paris), Amphitheater
Have you ever come across a website that used NTLM-based authentication, and you just could not authenticate with your browser nor BurpSuite even though you knew your credentials were correct? NTLM Extended Protection for Authentication (EPA) might be the culprit... Indeed, Firefox, among others, does not support the NTLM EPA mechanism and fails to authenticate.
This new protection was implemented to prevent relay attacks on webservers. With the rise of the powerful attack chain that involves ADCS, Petit Potam and NTLM relay, this protection has proven to be very useful!
What can we do then?! How are we going to use all our favorite tools? By creating a proxy of course! This implied multiple problematics, such as TLS interception, HTTP parsing, NTLM authentication, EPA implementation, and so on.
In the first part of this talk, I will give a short overview of the NTLM protocol over HTTP. Then I will explain how EPA fits into all this, and how it impacts NTLM relay over HTTPs. Finally, I will present our interception proxy Prox-Ez and the obstacles we encountered during the development.
See also: 🎥 video
Security Ninja @ Synacktiv