NTLM relay attacks have been a well-known attack method for many years and lots of patches against it have been released by Microsoft.
As we know, most of the attackers use Windows UNC or file protocol to leak victim’s Net-NTLM Hash and then crack it or relay it to another machine. However, this only works on Internet Explorer or Edge in a LAN network, and can not be used to attack the original machine itself.
In this presentation, we will introduce and detail two new attack vectors. The first affects almost all the desktop browsers on Windows, which can be chained with other services to achieve remote code execution without victim interaction.
The other is a bypass for the MS08-068 patch to achieve direct remote code execution by relaying Net-NTLM hashes to the machine itself. We will also release a tool, which can be used to launch these attacks automatically.