Advanced Techniques โ From Kali
Quick Reference Technique Tool Requirement Impact WebDAV Coercion โ LDAP relay ntlmrelayx + PetitPotam WebClient running on target RBCD, shadow creds, DA gMSA password read gMSADumper / nxc Authorized principal Lateral movement Zerologon cve-2020-1472 Network access to DC (pre-patch) Instant DA noPac (CVE-2021-42278/42287) noPac.py Domain user DA via KDC spoofing LAPS read nxc / ldapsearch Read perm on ms-Mcs-AdmPwd Local admin on target LSASS dump (offline parse) pypykatz LSASS dump file Credential extraction KrbRelayUp pre-check nxc ldap Network access Identify LDAP signing state WebDAV Coercion โ Bypass SMB Signing for NTLM Relay Why WebDAV Coercion Works Standard NTLM relay from SMB to LDAP is blocked when SMB signing is required (which is enforced on DCs by default). WebDAV coercion forces the target to authenticate over HTTP instead of SMB. HTTP authentication does not enforce signing, so it can be relayed to LDAP even when the target has SMB signing enabled. ...