Quentin Roland

Quentin Roland is a 28-year-old pentester working for a bit more than 3 years for Synacktiv, a French firm dedicated to offensive information security.

He enjoys working on Active Directory, releasing open-source exploitation tools or enhancing existing tooling. He worked on known, trendy Active Directory exploitation primitives as well as on more obscure research topics.


Session

09-05
14:15
30min
Old Tricks, New Depths: Exploring the Hidden Relaying Capabilities of Local Name Resolution Poisoning
Quentin Roland

Local name resolution poisoning attacks are almost as old as Active Directory itself – and yet, the magic of Windows environments retro-compatibility makes them still effective in 2025.

One of the very first offensive actions carried out by an attacker with access to an internal network is to attempt exploiting the LLMNR, mDNS or NBNS protocols that are even today enabled by default, in order to gain an authenticated foothold into the Active Directory infrastructure.

To the pentesters thinking that local name resolution attacks are well-known exploit primitives that do not have any more surprises in store for us – this presentation is here to prove you wrong. We will dive into two new techniques recently introduced that enhance the NTLM and Kerberos relaying capabilities of local name resolution poisoning, and their implementation in open-source tools such as Responder and krbrelayx.

Discover how to trick Windows SMB clients into falling back to WebDav HTTP authentication that do not implement signing, or how to perform Kerberos relaying through LLMNR, all illustrated by concrete exploit demonstrations!

Main track
Second track