NTLM vulnerabilities that allow remote code execution on any window machine

In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM (NT LAN Manager) is Microsoft’s old authentication protocol that was replaced with Kerberos starting Windows 2000. It was designed and implemented by Microsoft engineers for the purpose of authenticating accounts between Microsoft Windows machines and servers.

The challenge with having NTLM in your network is that it is easily exploitable and puts an organization at risk for a breach. These vulnerabilities allow attackers to remotely execute malicious code on any windows machine or authenticate to any web server that supports windows integrated Authentication such as exchange or ADFS (Active Directory Federation Services).

Attack Details

NTLM is susceptible to relay attacks, which allows actors to capture an authentication and relay it to another server, granting them the ability to perform operations on the remote server using the authenticated user’s privileges. NTLM relay is one of the most common attack techniques used in active directory environments, where the attacker compromises one machine, then moves laterally to other machines by using NTLM authentication directed at the compromised server.

Issues and vulnerabilities.

  • Weak Cryptography: All NTLM versions use a relatively weak cryptographic scheme. First, the hash is based on MD4, which is relatively weak. Second, even though the hash is salted before it is sent over the wire, it is saved unsalted in a machine’s memory. But the worst issue is that in order to authenticate to a machine, a user must respond to a challenge from the target, which exposes the password to offline cracking.
  • No Mutual Authentication: Unlike Kerberos, when a client authenticates to a server using NTLM, it cannot validate the identity of the server. This means that a malicious actor with man-in-the-middle capabilities could send the client fake/malicious data while impersonating the server.
  •  No Multi-Factor Authentication (MFA): NTLM, being strictly password based, lacks effective support for smart cards and other Multi-Factor Authentication solutions. Sure, you can utilize smart cards for login and authenticate with NTLM, but as others have pointed out, this makes somewhat of a mockery of the whole smart card deployment because you could pass the hash and use NT hash directly.

 Protection strategies from these vulnerabilities

In order to protect themselves from these vulnerabilities, organizations must:

  1. Patch – Make sure that your workstations and servers are properly patched. This is a basic requirement. However, it is important to note that patching alone is not enough as you will also need to make configuration changes in order to be fully protected.
  2. Configuration:
    1. Enforce SMB Signing – To prevent attackers from launching simpler NTLM relay attacks, turn on SMB Signing on all machines in the network.
    2. Block NTLMv1 – Since NTLMv1 is considered significantly less secure, it is recommended to completely block it by setting the appropriate GPO.
    3. Enforce LDAP/S Signing – To prevent NTLM relay in LDAP, enforce LDAP signing and LDAPS channel binding on domain controllers.
    4. Enforce EPA – To prevent NTLM relay on web servers, harden all web servers (OWA, ADFS) to accept only requests with EPA.
  3. Reduce NTLM usage – Even with a fully secure configuration and fully patched servers NTLM still poses a significantly greater risk than Kerberos. It is recommended that you remove NTLM anywhere it is not needed.

For any Cyber Security information contact help@theweborion.com


Leave a Comment

Your email address will not be published. Required fields are marked *

16 − four =