|
|
|
|
|
|
by cjcampbell
3568 days ago
|
|
|
The explanation is somewhat convoluted, but I believe they're impersonating a Windows server and convincing the target to send NTLMv2 credentials for the logged in user. Haven't looked at the protocols for a bit, but there may be some restrictions on when you're able to use this attack vector, e.g., local file sharing permitted, domain member, etc. I'm thinking our intern might be willing to test out a few more theories and put together a more comprehensive blog post. |
|
|