Hi,
so today we will start from the end, yea… TL;DR: NTLM and Kerberos relays just got a spicy new variant. Microsoft “fixed” it back in 2008. And yet… it’s 2025, and attackers are relaying back to localhost like it’s a LAN party. Again. Let’s break it down.
☠️ Relay: The Classic That Won’t Die
If you’ve worked with Active Directory even once in your life, you’ve probably heard of NTLM relay. If you haven’t—congrats, your blood pressure is still in check.
But beyond NTLM, there’s the newer, sassier cousin: Kerberos relay. And no, we’re not talking just about SMB anymore. We’re talking HTTP, RPC, MSSQL, LDAP, WinRM—you name it.
Still think “Relay = SMB attack”? Welcome to 2025, grab a chair and a hardened endpoint. Relay is now a buffet of protocols—and attackers are very, very hungry.
🔁 What Is Reflective Relay?
Let’s rewind to MS08-068—Microsoft’s original “no, you can’t attack yourself” patch. The whole point was to block a system from relaying its own authentication back at itself via NTLM.
The good old days of LNK files dropped on shared SMB folders were fading. You couldn’t just click a poisoned shortcut and elevate to SYSTEM via reflective relay anymore.
Until now.
🔍 Enter CVE-2025-33073: Ghost of Relays Past
Vulnerability: Improper handling of reflective NTLM and Kerberos traffic
Disclosure: June 11, 2025
MSRC: CVE-2025-33073
Researchers finally broke the ancient seal. Turns out, you can trick a Windows machine into relaying its own authentication tokens—again. Why? Because someone at Microsoft probably thought localhost was immune to DNS shenanigans. Spoiler: it’s not.
The exploit abuses crafted DNS hostnames and authentication coercion via SMB. Think:
Yes, that’s a real hostname. No, it’s not a typo. Yes, your DNS server will swallow it without blinking.
🧪 What Changed Since 2021?
Actually, everything started with a Google Project Zero paper back in 2021. It laid out the blueprint for Kerberos relay, but at the time, it was theoretical—no exploit, just theory.
Fast-forward to June 2025, and two teams drop bombshells:
-
RedTeam Pentesting explains how reflective Kerberos relay works in the real world. 🔗
-
Synacktiv follows up with a juicy NTLM flavor of the same thing. 🔗
Now we’ve got working PoCs, attack chains, and a reason to recheck every audit we did since 2008.
🔧 Attack Chain, Simplified
-
User opens a malicious LNK file or coerced request via HTTP/SMB/LDAP.
-
Their own machine sends credentials via NTLM or Kerberos.
-
The attacker tricks the machine to authenticate to itself using a poisoned hostname.
-
Boom: privilege escalation, token theft, or remote command execution. Take your pick.
🔥 Why It Matters (a Lot)
-
Firewall rules? Overwritten.
-
NTLM restrictions? Bypassed.
-
Domain controllers? Potentially exposed.
-
Logged events? Mostly silent unless you dig deep.
Remember: it’s not just one protocol. It’s the entire auth stack exposed. And Microsoft admits: the protections against self-auth aren’t universal.
🛡 How to Defend (for Real This Time)
Microsoft’s “fix” in 2008 didn’t age well. But you can still harden things with modern tools:
✅ Immediate Actions
-
Block
ms-smbandms-ldapoutbound to self via firewall rules. -
Enable Extended Protection for Authentication (EPA) across endpoints.
-
Disable NTLM where possible—yes, it’s painful. But necessary.
🔍 Detection
-
Monitor for unusual DNS requests with long, binary-looking subdomains.
-
Look for Kerberos AS-REQs to local IPs.
-
Review your logs for loopback authentication traffic.
🔧 Bonus Hardening
-
Block
C$,ADMIN$, and LNK auto-execution in GPOs. -
Audit DNS for weird hostnames that shouldn’t resolve.
-
Consider ripping out legacy protocols like SMBv1 if you haven’t already. (Seriously.)
🤡 A Final Note on the Absurd
Microsoft: “We fixed that in 2008.”
Hackers in 2025: “Cute. Watch this.”
🔥 Sources You Should Actually Read
So yeah. Reflective Relay is back. And this time, it brought a Kerberos ticket.