LDAP Signing and Channel Binding Explained

Introduction We have covered LLMNR/NBT-NS Poisoning (how to obtain credentials from an Adversary-in-the-Middle (AitM) position) and how SMB signing prevents those credentials from being relayed over SMB. We will now explore a similar concept, but this time focusing on the Lightweight Directory Access Protocol (LDAP). We will start by explaining what LDAP is and then have a look at the mechanisms that prevent relaying over it. We will keep our scope intentionally tight and won’t cover any unrelated aspects such as LDAP syntax. ...

July 1, 2026 · mollysec

SMB Signing and NTLM Relay Explained

Introduction In the first article, we talked about LLMNR/NBT-NS Poisoning and saw how it can be used to capture an NTLMv2 hash. This naturally leads to the next question: what can we do with that hash? Things are straightforward when the captured hash is weak and can be recovered, but what happens when it is not? What options do we have then? Instead of diving straight into NTLM relay, this article focuses on laying the necessary foundations first. We will focus on identifying where an NTLM relay attack is actually possible and, more importantly, why that is the case. For now, we will exclusively talk about relaying over SMB, which requires understanding SMB signing. LDAP signing will be the topic of the next article. ...

June 24, 2026 · mollysec