Hi! When you say external, do you mean out through the internet? The simplest answer is block outbound traffic that isn't needed. So, only allow DNS and HTTP(S) maybe. Another way to look at is to make sure there is nothing exposed that can receive the relayed authentication. NTLM itself is a vulnerable auth protocol, so you don't want to use it for anything you have accessible online.
@@Volkis hey Volkis! Thanks for the reply and enjoyed the video. I have disabled NTLM entirely on a clients DC , their only server, but am not sure if that will still allow requests to come through or not, I need to check the logs again. I was getting 30+ failed logins for a bunch of user names (some correct, some incorrect usernames), so I disabled it. Wondering if I need to enable SMB signing still, or honestly not even sure how the requests are being made 😟
@@foxxrider250r I'll need more context, so reach out through our website if you'd like. But, generally speaking if you disabled NTLM everywhere in the domain that will certainly stop NTLM Relay attacks. Technically, you don't need to enable signing then, but as a "just in case" you can still enable it. I'm not sure where the failed logins are coming from, but if you have NTLM disabled, Windows machines will use Kerberos (which should work unless they're using XP).
Great Video. I couldn't get the crackmap smb command to work the way you demo it here. it just wouldn't list them. I don't know if I am missing something. Very useful video which introduced me to the tool and many thanks.
Is it possible to reuse AUTHENTICATE_MESSAGE (NTLM TlRM......) to authenticate new HTTP connection. For example if i put AUTHENTICATE_MESSAGE in http authorization header so i can skip first (NEGOTIATE_MESSAGE) and second (CHALLENGE_MESSAGE) pre authetication steps? Is CHALLENGE_MESSAGE only per one http session? Thanks