NTLM-relay reincarnation or how to become a domain administrator in 1 minute
This post is a logical continuation of the research begun in tyts and tyts .
In the first post I wrote about the good old SMB Relay in the context of modern operating conditions.
The second post affected a new technique called SMB Hijacking with which you can execute code even if the outgoing SMB session uses Kerberos.
This time we will talk about the next technique, which is based on the classic NTLM Relay.
There is nothing fundamentally new in it, it differs from SMB Relay only in the service to which the data is redirected, but in terms of its impact, this technique is inconceivably superior to its progenitor.
')
As you remember, in a domain network, the controller is protected from SMB Relay by a rather simple and effective mechanism called SMB Signing, therefore redirection to DC as a third-party host is impossible. The problem is that one of the central systems of the Active Directory domain, which looks like an LDAP server from the outside, by default does not require the mandatory signature of packets during remote network interaction! To put it mildly, this is quite a frank backdoor in the system, left for some unknown reason. Either this is done intentionally for backward compatibility, or Microsoft employees thought that if there are no working exploits, then there is no cause for concern.
The lack of tools for NTLM relay on LDAP (Active Directory) is also not entirely clear. The vector is fairly obvious, but it is covered very poorly, perhaps the researchers simply could not think that a domain controller could be so defenseless in the default configuration.
In 2012, at the Blackhat conference, a certain Zack Fasel presented his tool called ZackAttack. Among the declared functionality, there was also a relay on LDAP. Despite the rather crude, but in some cases, the work implementation, the main merit of Zack, for me personally, was not the creation of the tool, but the mention of the lack of mandatory signature of packages when working with Active Directory. It took quite a long time before my hands reached this topic, but it happened and the working implementation of the attack appeared in Intercepter-NG.
For the attack requires only one condition: you need to know which computer is currently running the current domain administrator. The attacker does not even have to be a member of the domain, just connect to the network. As in the case of other attacks, to speed up the action, a link to the pseudo-web service Interceter, which will require NTLM authorization, is injected into the attacker's traffic. During the web surfing, the attacker will automatically and imperceptibly send authentication information, which will then be redirected to Active Directory. As a result of the attack, a new user will be created with Domain Admins rights.
The attack was successfully tested on the server operating systems Windows 2003 and 2008R2, but it should also work on Windows 2012, because The policy “Domain controller: LDAP server signing requirements” is similarly set to none by default.
You can try out the attack yourself with the release of the new version of Intercepter-NG, which is scheduled for autumn.
In the first post I wrote about the good old SMB Relay in the context of modern operating conditions.
The second post affected a new technique called SMB Hijacking with which you can execute code even if the outgoing SMB session uses Kerberos.
This time we will talk about the next technique, which is based on the classic NTLM Relay.
There is nothing fundamentally new in it, it differs from SMB Relay only in the service to which the data is redirected, but in terms of its impact, this technique is inconceivably superior to its progenitor.
')
As you remember, in a domain network, the controller is protected from SMB Relay by a rather simple and effective mechanism called SMB Signing, therefore redirection to DC as a third-party host is impossible. The problem is that one of the central systems of the Active Directory domain, which looks like an LDAP server from the outside, by default does not require the mandatory signature of packets during remote network interaction! To put it mildly, this is quite a frank backdoor in the system, left for some unknown reason. Either this is done intentionally for backward compatibility, or Microsoft employees thought that if there are no working exploits, then there is no cause for concern.
The lack of tools for NTLM relay on LDAP (Active Directory) is also not entirely clear. The vector is fairly obvious, but it is covered very poorly, perhaps the researchers simply could not think that a domain controller could be so defenseless in the default configuration.
In 2012, at the Blackhat conference, a certain Zack Fasel presented his tool called ZackAttack. Among the declared functionality, there was also a relay on LDAP. Despite the rather crude, but in some cases, the work implementation, the main merit of Zack, for me personally, was not the creation of the tool, but the mention of the lack of mandatory signature of packages when working with Active Directory. It took quite a long time before my hands reached this topic, but it happened and the working implementation of the attack appeared in Intercepter-NG.
For the attack requires only one condition: you need to know which computer is currently running the current domain administrator. The attacker does not even have to be a member of the domain, just connect to the network. As in the case of other attacks, to speed up the action, a link to the pseudo-web service Interceter, which will require NTLM authorization, is injected into the attacker's traffic. During the web surfing, the attacker will automatically and imperceptibly send authentication information, which will then be redirected to Active Directory. As a result of the attack, a new user will be created with Domain Admins rights.
The attack was successfully tested on the server operating systems Windows 2003 and 2008R2, but it should also work on Windows 2012, because The policy “Domain controller: LDAP server signing requirements” is similarly set to none by default.
You can try out the attack yourself with the release of the new version of Intercepter-NG, which is scheduled for autumn.
Source: https://habr.com/ru/post/226189/
All Articles