>However, even when this attack is blocked over the internet, it is very rarely blocked over LAN, meaning it could be used as a method of pivoting within networks.
That's frightening, and I wonder if there are any exploits in the wild which do just that?
Most exploits don't actually need to be all that crafty. They just ask someone to click a link and run some javascript. Could someone use this to pivot in a network? Yes. Almost every large enterprise has bigger problems than this.
People need to be looking at the new model that they came up with for Windows 10 and Azure AD join if they want to stay on Windows clients. The traditional domain model makes the potential impact of breach far too widespread. Windows Server AD should be used as a server management technology with resources being in resource domains that are just big enough to manage things that are related as a unit. Everybody and everything in the same domain is an antipattern now a days because of credential theft techniques. Most places don't have the expertise to maintain AD. It's too complicated and the loss of a single domain admin cred means that you have to rebuild it if you want to get back to a trustworthy state.
Resource forests, if you want actual security boundaries. Domains aren't security boundaries.
Having said that, some good old fashioned network segmentation would be a "win", too. Default deny ACLs should be the norm, and hosts sshould only be able to communicate with hosts they actually need to, full stop. (The reactions I get from developers, however, are typically less than pleasant when they learn that environments I administer have such policies, however.)
True dat. I've gotten where I use forest and domain interchangeably even thought what you say is true. I only advise people build single forest single domains these days. Complex forest topologies are also a bad thing.
Getting a hash is rather simple, if you already have access to the lan, assuming you are able to redirect traffic or insert yourself between the target user and the network (say, false wifi ap):
I'm generally not much of fan of firewalls (precisely because they by definition set up a "soft core" that's assumed to be safe) - but egress filtering of smb packets is unfortunately necessary if you have an winodws (and/or smb/cifs) clients on your network. I would much rather only run boxes that are "fit for the Internet" - but that's been rather difficult to do with windows for the past decades.
In fairness, Microsoft has made a number of improvements - but still not enough.
It would be nice if there was an easy way to set up the network so all clients used only kerberos5, and only sent credentials to kerberos principals in a trusted domain. As far as I know, there is no such easy way.
Sure, NTLM relaying is standard pentest/attacker tooling and just this month Microsoft addressed two issues where NTLM vulnerabilities can lead to full domain compromise (in the worst case).
That's frightening, and I wonder if there are any exploits in the wild which do just that?