THREAT OPS › Threat News › ghostsurf: From NTLM Relay to Browser Session Hijacking
ghostsurf: From NTLM Relay to Browser Session Hijacking
<p class="wp-block-paragraph"><em><strong>TL;DR:</strong> <code>ntlmrelayx</code>‘s SOCKS proxy works great for SMB and MSSQL but fails when you try to browse a web application through it – I dug into why, found several fundamental issues with how it handles HTTP, built <code>ghostsurf</code> to fix them, and along the way, discovered (and circumvented) some undocumented Windows kernel
MITRE ATT&CK techniques
Indicators of compromise
- e0ee04237af2fa58a525dbd63888894f62195f0asha1
- 5c6fe3db626b63a384230a1aa6b92ac416b0765fsha1
- https://docs.cyberark.com/pam-self-hosted/latest/en/content/pas%20inst/windows-authentication.htmurl
- https://cyberark.target.local/>url
- https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/url