What is?

A Pass-Back Attack is an authentication relay attack where an attacker intercepts NTLM authentication and relays it back to the originating system, effectively authenticating as the victim without cracking the credentials.

🛠️ How Does It Work?

1️⃣ Victim Attempts Authentication

• A user unknowingly connects to an attacker-controlled server (e.g., via SMB, HTTP, or WebDAV).
• The attacker's system prompts for NTLM authentication.

2️⃣ Attacker Captures the NTLM Challenge-Response

• Instead of immediately using it, the attacker forwards the credentials back to the victim's machine or another system in the domain that trusts the victim’s credentials.

3️⃣ Victim Authenticates Itself

• Since many domain-joined machines trust each other, the relayed credentials allow the attacker to authenticate as the victim without knowing their password.

4️⃣ Access Granted

• The attacker now has access to the victim’s machine or other network resources as the victim.

Printer Hacking

Printers in Active Directory (AD) environments often authenticate users via SMB or HTTP, making them a prime target for Pass-Back Attacks. Attackers abuse printer-related authentication mechanisms to relay NTLM credentials and gain unauthorized access.

How Does This Work?

1️⃣ 🖨️ Printer Asks for Authentication

• Many network printers require authentication for features like scanning to a network share or accessing print logs.