NTLM Relay is a classic attack against Windows systems. Although proposed many years ago, it is still a hot topic among red teams, especially in Active Directory environments. Exchange Server, as the most widely used mail server in the world, has also attracted more and more attention from attackers, many Exchange 0days with great impact have been found and even exploited in the wild in recent years.
What will happen when Exchange Server meets with NTLM Relay?
In this talk, I will uncover a rarely known NTLM relay attack surface of Exchange Server. This attack surface is an architectural design issue in Exchange cluster environment, which affects about 60% of the Exchange frontend endpoints and 70% of the Exchange backend endpoints. By exploiting these vulnerabilities, attackers can take over any Exchange user’s mailbox and have the power to read emails, send emails, download attachments, and more. Some of these vulnerabilities can result in RCE on Exchange Server.
I’ll walk you through all these vulnerabilities in this talk, including their root causes, how to exploit them, patches, and patch bypasses, and what you can do to protect your Exchange Servers.