https://fonetone.org/posts/Recent content in Posts on fonetoneHugoen-usTue, 24 Feb 2026 05:55:55 +0100https://fonetone.org/posts/ntlmv1-must-die/Tue, 24 Feb 2026 05:55:55 +0100https://fonetone.org/posts/ntlmv1-must-die/<div class="toc"> <details open> <summary><strong>Table of Contents</strong></summary> <nav id="TableOfContents"> <ul> <li><a href="#foreword">Foreword</a></li> <li><a href="#ntlmv1-authentication-flow">NTLMv1 Authentication Flow</a></li> <li><a href="#ntlm-relay-attack">NTLM Relay Attack</a> <ul> <li><a href="#scenario-1-smb-signing-is-not-required">Scenario 1: SMB Signing is NOT Required</a></li> <li><a href="#scenario-2-smb-signing-is-required">Scenario 2: SMB Signing is Required</a></li> </ul> </li> <li><a href="#the-loophole">The Loophole</a> <ul> <li><a href="#tampering-is-caring">Tampering is Caring</a></li> </ul> </li> <li><a href="#message-integrity-code-aka-mic">Message Integrity Code aka MIC</a> <ul> <li><a href="#drop-the-mic">Drop the MIC</a></li> <li><a href="#drop-the-mic-2">Drop the MIC 2</a></li> </ul> </li> <li><a href="#extended-protection-for-authentication-aka-epa">Extended Protection for Authentication aka EPA</a> <ul> <li><a href="#epa-under-attack">EPA Under Attack</a></li> </ul> </li> </ul> </nav> </details> </div> <img src="https://fonetone.org/imgs/ntlmv1-must-die-monitor.png" alt="ntlm-must-die-cover" style="max-width: 75%;"> <h1 id="foreword">Foreword</h1> <p>I know the internet is already drowning in NTLM authentication articles. So, if you’re thinking this post might be just another drop in that ocean, I get it — and I’m sorry to disappoint. But for the newcomers or anyone still tangled in the protocol’s quirks, this might just be the lifebuoy you need. Also, I won’t be plunging into the technical details; people far smarter than I am already did, so I kindly recommend you check their work. I am merely putting into my own words something that&rsquo;s been explained countless times, to help me understand it better, and hopefully, it helps you too.</p>https://fonetone.org/posts/hierarchy-takeover-via-ntlm-coercion-and-relay-over-smb-to-remote-site-database/Fri, 20 Feb 2026 07:00:55 +0100https://fonetone.org/posts/hierarchy-takeover-via-ntlm-coercion-and-relay-over-smb-to-remote-site-database/<div class="toc"> <details open> <summary><strong>Table of Contents</strong></summary> <nav id="TableOfContents"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#the-meat-and-potatoes">The Meat and Potatoes</a></li> <li><a href="#i-am-service">I am Service</a></li> <li><a href="#gimme-db">Gimme DB</a></li> </ul> </nav> </details> </div> <h1 id="introduction">Introduction</h1> <img src="https://fonetone.org/imgs/sccm-is-mysterious-and-important.png" alt="ntlm2mssql-switch-roles-artwork" style="max-width: 55%;"> <p>I&rsquo;m gonna have soon to come up with acronyms for those titles, it&rsquo;s getting out of hand. Don&rsquo;t panic tho, it sounds far more complicated than it actually is! It&rsquo;s very similar to what was already covered in <a href="https://fonetone.org/posts/hierarchy-takeover-via-ntlm-coercion-and-relay-to-mssql/">this post</a>, except that this time we relay over SMB instead of LDAP. Additionally, we will be talking to the DB directly as the Primary Site Server, instead of using a user account. So basically a machine talking to another machine, what could go wrong, right?</p>https://fonetone.org/posts/hierarchy-takeover-via-ntlm-coercion-and-relay-to-mssql/Sun, 15 Feb 2026 16:15:55 +0100https://fonetone.org/posts/hierarchy-takeover-via-ntlm-coercion-and-relay-to-mssql/<div class="toc"> <details open> <summary><strong>Table of Contents</strong></summary> <nav id="TableOfContents"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#minutiae">Minutiae</a></li> <li><a href="#the-meat-and-potatoes">The Meat and Potatoes</a></li> <li><a href="#road-to-system">Road to SYSTEM</a></li> <li><a href="#sccm-admin-sid-hijacking">SCCM Admin SID Hijacking</a></li> </ul> </nav> </details> </div> <h1 id="introduction">Introduction</h1> <img src="https://fonetone.org/imgs/sccm-is-mysterious-and-important.png" alt="ntlm2mssql-switch-roles-artwork" style="max-width: 55%;"> <p>This post is part of a series on SCCM exploitation. If you haven&rsquo;t yet, don&rsquo;t miss <strong><a href="https://fonetone.org/posts/sccm-range-deployment/">SCCM Range Deployment</a></strong> — it&rsquo;s like setting up your own SCCM sandbox, minus the sand in your underwear.</p> <p>At the end of this post, you will know how to coerce a SCCM Primary Site Server into authenticating against you, and relay that authentication back to the Server Site Database.</p>https://fonetone.org/posts/sccm-range-deployment/Sat, 14 Feb 2026 07:42:50 +0100https://fonetone.org/posts/sccm-range-deployment/<div class="toc"> <details open> <summary><strong>Table of Contents</strong></summary> <nav id="TableOfContents"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#create-the-range">Create the Range</a></li> </ul> </nav> </details> </div> <h1 id="introduction">Introduction</h1> <img src="https://fonetone.org/imgs/ludus-deploy.png" alt="ludus-deploy" style="max-width: 75%;"> <p>If you’ve never heard of <a href="https://docs.ludus.cloud/">Ludus</a>, I almost feel bad for you. Because once you know, there’s no going back. This absolute game-changer is about to save you HOURS, and I’m basically your hero for telling you about it. You’re welcome. I&rsquo;ve just changed your life, so feel free to name your firstborn after me.</p> <p>Now, let&rsquo;s give credit when credit is due. Who built that thing?</p>