Your Session Key Is My Session Key: How to Retrieve the Session Key for Any Authentication

The blog post discusses a critical vulnerability discovered by Preempt researchers, now part of CrowdStrike, in the NTLM authentication protocol used in Active Directory environments. This vulnerability allows attackers to retrieve session keys for any authentication attempt, enabling them to establish signed sessions against servers without proper authorization. Despite the introduction of mitigations such as server signing to defend against NTLM relay attacks, the vulnerability persisted until a recent Microsoft security update. The post emphasizes the importance of patching systems, enabling server and LDAP signing, and reducing the use of NTLM to minimize risks. Additionally, it highlights that the vulnerability affects all Windows versions and provides steps to secure environments against such attacks.