Introduction

During a penetration testing engagement, it is common to encounter an Active Directory environment that uses outdated protocols like LLMNR and to find workstations that accept unsigned packets. When both of these conditions are present, it is possible to spoof a domain user’s identity to connect to a specific service (LDAP, SMB, HTTP) and perform malicious actions on behalf of the impersonated user.

In this series of articles, we will begin with a deep understanding of why it is possible to relay NTLM to compromise a user. We will then explore how to use this knowledge to relay NTLM connections to exploit the obtained privileges and move laterally across the domain.

NTLM 101

NTLM (NT LAN Manager) is an authentication protocol developed by Microsoft for Windows environments. It is used to validate user identities and provide security services within a Windows network. NTLM is often encountered in Active Directory environments, although it is not the most recent or secure authentication protocol (Kerberos).

NTLM Protocols

  • NTLMv1 : The first version of the protocol, introduced with Windows NT 4.0, offers a challenge-response method for authentication. However, NTLMv1 is vulnerable to attacks such as pass-the-hash and NTLM relay due to its use of a relatively weak hashing mechanism.

  • NTLMv2 : Introduced with Windows 2000, NTLMv2 improves security by using a more robust hashing algorithm and incorporating more complex challenge-response mechanisms. Although it is more secure than NTLMv1, NTLMv2 remains vulnerable to attack techniques such as NTLM relay if adequate protections are not in place.

It is important not to confuse these protocols with NT (also known as NTLM), which is used to store passwords on Windows machines or domain controllers.

NTLM Handshake

When a user connects to a service via NTLM, authentication occurs in several steps:

Terminal
Client                                   Server
   |                                       |
   |          1. NTLM Negotiation          |
   | --------------------------------------> |
   |                                       |
   |          2. NTLM Challenge            |
   | <-------------------------------------- |
   |                                       |
   |          3. NTLM Authentication       |
   | --------------------------------------> |
   |                                       |
   |          4. Access Granted            |
   | <-------------------------------------- |
   |                                       |

  1. NTLM Negotiation
    The client sends an initial request to the server to negotiate the NTLM authentication options.
  2. NTLM Challenge
    The server responds with a challenge that is used to verify the client’s identity.
  3. NTLM Authentication
    The client responds to the challenge by using a hash of his password to prove his identity.
  4. Access Granted
    The server validates the response and grants access if authentication is successful.

NTLM Relay

NTLM Relay is an attack technique where an attacker intercepts and reuses NTLM authentication information to access services that the user is authenticated to (man-in-the-middle). By using this technique, the attacker can relay the captured authentication data to access services such as SMB, LDAP, or HTTP, often with the privileges of the targeted user.

Terminal
Client                                 Attacker                                Server
   |                                      |                                       |
   |          1. NTLM Negotiation         |                                       |
   | ------------------------------------>|                                       |
   |                                      |                                       |
   |                                      |          2. NTLM Negotiation          |
   |                                      | ------------------------------------> |
   |                                      |                                       |
   |                                      |          3. NTLM Challenge            |
   |                                      | <------------------------------------ |
   |                                      |                                       |
   |          4. NTLM Challenge           |                                       |
   | <------------------------------------|                                       |
   |                                      |                                       |
   |          5. NTLM Authentication      |                                       |
   | ------------------------------------>|                                       |
   |                                      |                                       |
   |                                      |          6. NTLM Authentication       |
   |                                      | ------------------------------------> |
   |                                      |                                       |
   |                                      |          7. Access Granted            |
   |                                      | <------------------------------------ |
   |                                      |                                       |

  1. NTLM Negotiation
    The client sends an initial NTLM negotiation request to the attacker (who is pretending to be the server).
  2. NTLM Negotiation
    The attacker relays this negotiation request to the target server.
  3. NTLM Challenge
    The target server sends an NTLM challenge to the attacker.
  4. NTLM Challenge
    The attacker relays this challenge to the client.
  5. NTLM Authentication
    The client responds to the challenge by using a hash of his password.
  6. Relay Authentication
    The attacker relays the response to the target server.
  7. Access Granted
    The target server grants access to the attacker with the initial client’s rights if the relayed response is valid.

Session signing

Services such as LDAP and SMB support session signing mechanisms that add an important layer of security by verifying the integrity and authenticity of exchanged messages. However, for NTLM relay attacks to be effective, it is crucial that these signing mechanisms are disabled. This is the default case on workstations, except for Windows servers. When session signing is disabled, NTLM exchanges are not protected against modifications and interceptions. This allows an attacker to relay NTLM authentication information without the destination server being able to verify the integrity of the messages as mentioned above. As a result, the attacker can impersonate the legitimate user and gain access to network resources.

How Session Signing protects against Relay Attacks

When SMB signing is enabled, the server requires that all SMB packets sent by clients are cryptographically signed. The server checks the signature to ensure that the packet has not been altered in transit and that the sender is indeed who they claim to be. This mechanism prevents attackers from modifying messages in transit and conducting an NTLM relay attack.

Protocol importance

It is therefore crucial to note that NTLM authentication cannot be relayed to just any service, as it depends on the source and destination protocols as well as protection mechanisms such as packet signing. In practice, attackers typically exploit connections using protocols like SMB or HTTP to carry out NTLM relay attacks between different services.

Moreover, NTLM authentication protocols are independent of application protocols, meaning that an NTLM authentication message can be relayed from one protocol (e.g., HTTP) to another (e.g., LDAP).

Relay Matrix - from TheHackerRecipes

Conclusion

In conclusion, NTLM Relay poses a serious threat in Active Directory environments using NTLM authentication. By exploiting NTLM weaknesses, attackers can relay authentication messages to access protected services. Therefore, it is crucial to understand these mechanisms and implement robust security measures, such as session signing.

In the upcoming articles of the Awesome Relay series, we will concretely explore how to exploit these vulnerabilities to compromise an Active Directory domain.

Ressources