Kali Linux

ADFSRelay : Proof Of Concept Utilities Developed To Research NTLM Relaying Attacks Targeting ADFS

ADFSRelay is a repository includes two utilities NTLMParse and ADFSRelay. NTLMParse is a utility for decoding base64-encoded NTLM messages and printing information about the underlying properties and fields within the message. Examining these NTLM messages is helpful when researching the behavior of a particular NTLM implementation.

ADFSRelay is a proof of concept utility developed while researching the feasibility of NTLM relaying attacks targeting the ADFS service. This utility can be leveraged to perform NTLM relaying attacks targeting ADFS. We have also released a blog post discussing ADFS relaying attacks in more detail.

NTLMParse Usage

To use the NTLMParse utility you simply need to pass a Base64 encoded message to the application and it will decode the relevant fields and structures within the message. The snippet given below shows the expected output of NTLMParse when it is invoked:

➜  ~ pbpaste | NTLMParse
(ntlm.AUTHENTICATE_MESSAGE) {
 Signature: ([]uint8) (len=8 cap=585) {
  00000000  4e 54 4c 4d 53 53 50 00                           |NTLMSSP.|
 },
 MessageType: (uint32) 3,
 LmChallengeResponseFields: (struct { LmChallengeResponseLen uint16; LmChallengeResponseMaxLen uint16; LmChallengeResponseBufferOffset uint32; LmChallengeResponse []uint8 }) {
  LmChallengeResponseLen: (uint16) 24,
  LmChallengeResponseMaxLen: (uint16) 24,
  LmChallengeResponseBufferOffset: (uint32) 160,
  LmChallengeResponse: ([]uint8) (len=24 cap=425) {
   00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
   00000010  00 00 00 00 00 00 00 00                           |........|
  }
 },
 NtChallengeResponseFields: (struct { NtChallengeResponseLen uint16; NtChallengeResponseMaxLen uint16; NtChallengeResponseBufferOffset uint32; NtChallengeResponse []uint8; NTLMv2Response ntlm.NTLMv2_RESPONSE }) {
  NtChallengeResponseLen: (uint16) 384,
  NtChallengeResponseMaxLen: (uint16) 384,
  NtChallengeResponseBufferOffset: (uint32) 184,
  NtChallengeResponse: ([]uint8) (len=384 cap=401) {
   00000000  30 eb 30 1f ab 4f 37 4d  79 59 28 73 38 51 19 3b  |0.0..O7MyY(s8Q.;|
   00000010  01 01 00 00 00 00 00 00  89 5f 6d 5c c8 72 d8 01  |........._m\.r..|
   00000020  c9 74 65 45 b9 dd f7 35  00 00 00 00 02 00 0e 00  |.teE...5........|
   00000030  43 00 4f 00 4e 00 54 00  4f 00 53 00 4f 00 01 00  |C.O.N.T.O.S.O...|
   00000040  1e 00 57 00 49 00 4e 00  2d 00 46 00 43 00 47 00  |..W.I.N.-.F.C.G.|

Below is a sample NTLM AUTHENTICATE_MESSAGE message that can be used for testing:

TlRMTVNTUAADAAAAGAAYAKAAAACAAYABuAAAABoAGgBYAAAAEAAQAHIAAAAeAB4AggAAABAAEAA4AgAAFYKI4goAYUoAAAAPqfU7N7/JSXVfIdKvlIvcQkMATwBOAFQATwBTAE8ALgBMAE8AQwBBAEwAQQBDAHIAbwBzAHMAZQByAEQARQBTAEsAVABPAFAALQBOAEkARAA0ADQANQBNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADDrMB+rTzdNeVkoczhRGTsBAQAAAAAAAIlfbVzIctgByXRlRbnd9zUAAAAAAgAOAEMATwBOAFQATwBTAE8AAQAeAFcASQBOAC0ARgBDAEcAVQA0AEcASABPADAAOAA0AAQAGgBDAE8ATgBUAE8AUwBPAC4ATABPAEMAQQBMAAMAOgBXAEkATgAtAEYAQwBHAFUANABHAEgATwAwADgANAAuAEMATwBOAFQATwBTAE8ALgBMAE8AQwBBAEwABQAaAEMATwBOAFQATwBTAE8ALgBMAE8AQwBBAEwABwAIAIlfbVzIctgBBgAEAAIAAAAIADAAMAAAAAAAAAABAAAAACAAABQaOHb4nG5F2JL1tA5kL+nKQXJSJLDWljeBv+/XlPXpCgAQAON+EDXYnla0bjpwA8gfVEgJAD4ASABUAFQAUAAvAHMAdABzAC4AYwBvAG4AdABvAHMAbwBjAG8AcgBwAG8AcgBhAHQAaQBvAG4ALgBjAG8AbQAAAAAAAAAAAKDXom0m65knt1NeZF1ZxxQ=

ADFSRelay Usage

The single required argument for ADFSRelay is the URL of the ADFS server to target for an NTLM relaying attack. Three optional arguments are -debug to enable debugging mode, -port to define the port the service should listen on, and -help to display the help menu. An example help menu is given below:

➜  ~ ADFSRelay -h
Usage of ADFSRelay:
  -debug
     Enables debug output
  -help
     Show the help menu
  -port int
     The port the HTTP listener should listen on (default 8080)
  -targetSite string
     The ADFS site to target for the relaying attack (e.g. https://sts.contoso.com)
➜  ~
R K

Recent Posts

SpyAI : Intelligent Malware With Advanced Capabilities

SpyAI is a sophisticated form of malware that leverages advanced technologies to capture and analyze…

1 day ago

Proxmark3 : The Ultimate Tool For RFID Security And Analysis

The Proxmark3 is a versatile, open-source tool designed for radio-frequency identification (RFID) security analysis, research,…

1 day ago

Awesome Solana Security : Enhancing Program Development

The "Awesome Solana Security" collection is a comprehensive resource designed to help developers build more…

1 day ago

IngressNightmare-POCs : Understanding The Vulnerability Exploitation Flow

The "IngressNightmare" vulnerabilities, disclosed in March 2025, represent a critical set of security issues affecting…

1 day ago

AdaptixC2 : Enhancing Penetration Testing With Advanced Framework Capabilities

AdaptixC2 is an advanced post-exploitation and adversarial emulation framework designed specifically for penetration testers. It…

1 day ago

Bincrypter : Enhancing Linux Binary Security through Runtime Encryption And Obfuscation

Bincrypter is a powerful Linux binary runtime crypter written in BASH. It is designed to…

1 day ago