Python and BOF utilites to the determine EPA enforcement levels of popular NTLM relay targets from the offensive perspective
These tools were written to compliment research summarized in a blog post / presentation by @Tw1sm and myself.
NTLM relay is still a widely abused attack vector during pentests and red teams alike. Depending on your network access perspective, setting up for a relay can be an involved and error-prone process (e.g. over C2). The goal of this toolset is to better inform your NTLM relays, especially in cases where Extended Protection for Authentication (EPA) could be enforced as a mitigation.
See the RelayInformer [Python] and RelayInformer [BOFs] documentation for details and example usage.
- Alex Demine - initial effort in MSSQL EPA research
- @Defte_ - “A journey implementation Channel Binding on MSSQLClient.py”
- @lowercase_drm - early open-source implementation of LDAP channel binding in LDAP3 library
- Pierre Milioni & Geoffrey Bertoli - "A study on Windows HTTP Authentication (Part II)
- Adam Crosser - "Relaying to ADFS Attacks"
- Open-source developers contributing to libraries such as Impacket, msldap, LdapSignCheck, and many more
