It has been years since NTLM authentication protocol is introduced in Windows. NTLM relay is one of the most famous attacks, which attacker can act as the victim without knowing the credentials. Microsoft has released lots of patches against it. There are usually two steps in the working exploits nowadays, one for leak NET-NTLM Hash of a victim, the other is relaying it to another machine.
In this presentation, we will introduce and detail two new attack vectors. The first one is leaking NET-NTLM Hash in Chrome, while previous attacks targeting browsers can only affect IE/Edge. It can be chained with other services to achieve remote code execution without any interaction with a victim. The other one is bypassing MS08-068 patch in some condition and achieving direct remote code execution by relaying Net-NTLM Hash to the machine itself. Finally, we will release a tool, which can be used to launch those attacks automatically.