LDAP Signing and Channel Binding Explained

Introduction We have covered LLMNR/NBT-NS Poisoning (how to obtain credentials from an Adversary-in-the-Middle (AitM) position) and how SMB signing prevents those credentials from being relayed over SMB. We will now explore a similar concept, but this time focusing on the Lightweight Directory Access Protocol (LDAP). We will start by explaining what LDAP is and then have a look at the mechanisms that prevent relaying over it. We will keep our scope intentionally tight and won’t cover any unrelated aspects such as LDAP syntax. ...

July 1, 2026 · mollysec

SMB Signing and NTLM Relay Explained

Introduction In the first article, we talked about LLMNR/NBT-NS Poisoning and saw how it can be used to capture an NTLMv2 hash. This naturally leads to the next question: what can we do with that hash? Things are straightforward when the captured hash is weak and can be recovered, but what happens when it is not? What options do we have then? Instead of diving straight into NTLM relay, this article focuses on laying the necessary foundations first. We will focus on identifying where an NTLM relay attack is actually possible and, more importantly, why that is the case. For now, we will exclusively talk about relaying over SMB, which requires understanding SMB signing. LDAP signing will be the topic of the next article. ...

June 24, 2026 · mollysec

LLMNR/NBT-NS Poisoning Explained

Introduction LLMNR/NBT-NS Poisoning is one of the most consistent vulnerabilities I come across during internal tests. Even if the name does not ring a bell, chances are you have, at some point in a lab, launched Responder hoping to capture a hash: If that’s the case, you are already familiar with the attack, but have never really taken the time to explore what is actually happening behind the scenes. Under the right conditions, this attack vector can result in getting an NTLMv2 hash which can be recovered or relayed (e.g. combined with something such as the lack of SMB signing). It can be our way from: ...

June 20, 2026 · mollysec