NTLM, LDAP&RDP Relay vulnerability analysis-vulnerability warning-the black bar safety net

Over the past few months, the Preempt research team found and reported two of Microsoft’s NT LAN Manager NTLM vulnerability. These vulnerabilities have the same problem, IE NTLM does not correctly handle two different protocols. These issues are very important, because even turn on LDAP server signing and RDP restricted administration mode, they can also allow an attacker to create a new domain administrator account.
Two vulnerabilities described the video as follows:
NTLM is a Microsoft Protocol security is a Suite that provides authentication, integrity and confidentiality. NTLM relay is the majority of hackers known. If you invite a penetration testing group to carry out a security audit, they may use NTLM relay attack fall of your network.
The figure below is how to complete the NTLM relay a brief schematic:
! [](/Article/UploadPic/2017-7/201771314053722. png? www. myhack58. com)
Simply put, in the NTLM, when a user wants to connect a server, the server initiates a challenge, the user using their password hash to encrypt the challenge of. The attacker creates a parallel session connection to the server, he hoped the successful creation of the NTLM authentication. Successfully using NTLM authentication, the attacker can immediately open an SMB session, and use the malicious software infected the target system.
0x01 NTLM credentials for the relay can be used in two ways to prevent
1. SMB signing is a server and the client negotiate to use the inheritance of the session key to encrypt all incoming data packets for digital signature configuration. In this case, even if the NTLM session or may be a relay, the server may not be used, because the attacker lacks the session key. In addition to the SMB, DCE/RPC communication is with this technology protection. At the moment, in an Active Directory network, it should be noted that it is only the domain controller the default turn on SMB signing, all other servers or workgroup the default is not protected.
2. Authentication the enhanced protection EPA: is the certification process of a mechanism, the client application using inheritance session key for a TLS session to an element of the digital signature. EPA on the other agreement and the HTTP together. This way there are a few noteworthy places. First, it requires Protocol support TLS. Secondly, the EPA can not be unified configuration. This means that each server or Application Administrator had to manually turn it off by default to prevent credential forwarding.
0x02 vulnerability 1: LDAP Relay（CVE-2017-8563）
We report the first vulnerability is LDAP is not protected by NTLM relay protection.
The LDAP Protocol is used to query Active Directory and update all the domain objects user, group, terminal, etc. In Group Policy there is a special configuration domain controller: LDAP server signing required. When this group policy setting is set to“require signature”, the domain controller refused to not use inheritance session key digital signature of the LDAP session, or by the TLS（LDAPS）encrypt the entire session.
Here the vulnerability is that LDAP signing can prevent man in the middle attacks and credential forwarding; LDAPS can prevent man in the middle attacks, but does not prevent credential forwarding. This makes having SYSTEM privileges an attacker can use any of the incoming NTLM session, and on behalf of the NTLM user perform the LDAP operation. In order to achieve this, we need to know all of the Windows Protocol use the Windows Authentication API SSPI, the authentication session is downgraded to NTLM.
As a result, each connected to the infected machine, SMB, WMI, SQL, HTTP, will cause the attacker to create a domain administrator account and take complete control of the attacked network.
0x03 exploit 2: RDP relay
The second problem is with the RDP restricted admin related. RDP restricted admin allows the user to not need the remote computer the password will be able to connect to the remote computer.
RDP restricted admin in the past very popular, because it allows an attacker using a pass-the-hash to connect to the remote computer. However, in the past no one disclosed the loss of the notch of the terminal to perform the RDP. Preempt find the RDP restricted administration, which is sometimes mistaken Kerberosed RDP, to allow the authentication negotiation to downgrade to NTLM. This means that you can use NTLM to perform each attack, such as credentials for transit and crack the password.
Because the RDP restricted mode as having elevated technical support personnel to remotely access the computer way, which makes their credentials at risk. And the combination of the first LDAP relay problem, which means that every time you use RDP restricted admin connections, an attacker can create a malicious domain administrator.
0x04 Microsoft Response Center to reply
Microsoft acknowledged the two problems. For the first CVE number for CVE-2017-8563, the patch has been released. For the second, Microsoft claims is a known issue and recommended that the security configuration of the network.
Time points:
2017-04-02: the Preempt to contact the MSRC report a vulnerability
2017-04-06: the MSRC acknowledged the report
2017-05-09: the MSRC confirm the LDAP problem, that the RDP can be configured to repair the
2017-07-11: Microsoft in 7 on patch to fix CVE-2017-8563
0x05 how to protect themselves
NTLM is very dangerous, can be used to credential forwarding and password crack. If you can, you should avoid in your network use it, then you will be safe.
For safety, I suggest the following steps to take measures of 1-2 is a must 3-5 strongly recommended: the
1. In all of your domain names installed on the controller CVE-2017-8563 patch. If you have automatic software updates that may have been updated, but need to restart the computer to take effect.
2. In Group Policy, turn on“require LDAP signatures”. The default is off, much like the SMB signing, if configured incorrectly, will not be protected.
3. According to the guidance, by the SSL/TLS for LDAP authentication
4. Monitor your network in the NTLM flow, make sure to check for any abnormalities
5. Do not give your to help staff the domain administrator privileges, because they are landing to the plurality of the Working Group, and their credentials are insecure, if needed, give them two accounts, one is Remote Assistance, the other has domain administrator permissions. For this, I recommend you look at the Microsoft Pass-the-Hash guidance.
6. Can through the video learn Preempt how to help enterprise-level users.