NTLM Relay

1 前言

1.1 背景介绍

NTLM Relay, man-in-the-middle attack or replay attack is the same.

B is an smb server, A is used to authenticate. B forwards A's authentication information to C. If A's credentials are successfully authenticated on C, the next operation can be performed, such as creating a service to execute commands. If you control some common services in the domain, such as WEB OA system, file sharing and other services, you can try using SMB relay attacks to lure domain administrators to access them to achieve the purpose of obtaining permissions from other machines.

In 2001, it was first implemented by Dynamic, SMBRelay

In 2004, it developed into HTTP - SMB, BlackHat, unopened

In 2007, HTTP - SMB was integrated into MetaSploit

In 2008, HTTP - HTTP's NTLM attack was implemented (MS08-067)

1.2 认证过程

两端模型：

三端模型：

在域环境下的 NTLM Relay 的模型：

1.3 HTTP - SMB 攻击实验

1.3.1 nmap 探测 SMB 签名

nmap Scan:

1

nmap -p445 --script=smb-security-mode.nse IP --open

1.3.2 使用 ntmlrelayx.py 测试

ntmlrelayx.py script in empire package

1

ntlmrelayx.py -tf hosts.txt -socks -smb2support

Notice

When launching an attack, HTTP - SMB, open port 80, and ensure that the port is not occupied.

After the attack is successful, the 1080 socks port will be opened locally on the attack machine, and the target machine can be controlled through proxy tools such as proxychain.

1

2

# mac proxychain-NG

proxychains4 /Users/Geekby/opt/anaconda3/bin/python secretsdump.py pentest.com/[email protected]

Notice

When performing authentication, you will be prompted to enter your password. Leave it blank to use the relay credentials for authentication.

1.4 Hot Potato

Hot Potato is a classic example of using NTLM Relay to obtain control of high-authority users. You can refer to the article "Potato Family Power Uplift Analysis".

1.5 NTLM Relay 防御

There are currently many defense measures for NTLM replay attacks, mainly including the following:

SMB LDAP Signature

EAP (Enhanced Protection Authentication)

LDAPS Channels

Server target SPN Validation

1.5.1 SMB LDAP 签名

After the authentication is completed, all traffic between the application server and the client is protected by signature verification; the user-signed session key is generated based on the client's NTLM value, and the application server obtains it from the DC server in the NETLOGON stage; the client uses the same algorithm as DC and generates the session key based on its own NTLM value, so the man-in-the-middle attack cannot obtain the session key

1.5.2 EAP (Enhanced Protection Authentication)

NTLM authentication is bound to a secure channel. During the NTLM authentication process, the last NTLM authentication data packet contains a certificate digest of the target application server. This digest is signed and protected using the client's NTLM value to prevent attacks of forgery certificates.

1.6 关于 NTLM 协议的一些总结

NT Hash=md4(unicode(hex(password)))

NTLMv2 Hash=HMAC-MD5(unicode(hex(upper(username+domain))), NT Hash)

NTProofStr=HMAC-MD5(challenge + data, NTLMv2 Hash)

Session Key=HMAC_MD5(HMAC_MD5(NTLMv2 Response + Challenge, NTLMv2 Hash), NTLMv2 Hash)

MIC=HMAC_MD5(NEGOTIATE_MESSAGE + CHALLENGE_MESSAGE + AUTHENTICATE_MESSAGE, Session key)

2 CVE-2015-0005

2.1 原理

After receiving the authentication information from the user client, the application server must rely on the domain server for authentication and send the received authentication information to the domain server. This process is based on the NETLOGON protocol. This protocol establishes a secure session between the application server and the domain server, and the secure session sharing key is generated based on the password NTLM of the application server host account.

2.1.1 NETLOGON 步骤

All are RPC remotely calling to the authentication server

NetrLogonSamLoginEx

NetrLogonSamLogonWithFlags

NetrLogonSamLogon

NetrLogonSamLogoff

2.1.2 攻击场景

User evils on win10x64en$, accesses the SMB service of the internal server win2008R2$, and uses NTLM authentication method. The domain server is Win2016-dc01$, and the authentication process is summarized as follows :

win10x64en$ First initiate a connection NTLM_NEGOTIATE to the SMB 445 port of win2008R2$, and negotiate to use NTLM authentication;

After receiving win2008R2$, send NTLM CHALLENGE to return to win10x64en$;

After receiving NTLM CHALLENGE, win10x64en$ send an NTLM authentication message to win2008R2$;

Win2008R2$'s password NTLM is shared between Win2008R2$ and the domain control server to generate a session key and create a NETLOGON secure session. Win2008R2$ calls the NetrLogonSamLogonWithFlags function of the domain server through RPC, and fills all the authentication information sent by win10x64en$ with the previous挑战信息as parameters;

After the domain server receives the information, it verifies the authentication information. If the authentication is legal, it returns STATUS_SUCCESS;

If the NetrLogonSamLogonWithFlags call is successful, the application server returns the NETLOGON_VALIDATION data structure, which may end with one of the following structures : NETLOGON_VALIDATIN_SA_FO , NETLOGON_VALIDATION_SAM_INFO2, NETLOGON_VALIDATION_SAM_INFO4. There is an important data in this structure, which is SessionKey, which is used for signatures, encryption, etc. between the user client and the application server;

SessionKey is generated based on the client user's password NTLM. The application server obtains it from DC. The client user uses the same algorithm to generate it himself. Therefore, the application server and the client do not need to interact with SessionKey;

The second parameter is the host name (Microsoft's explanation "Computer Name: The Unicode string that contains the NetBIOS name of the client computer calling this method"). The host name is the client host name that calls the function, that is, the function that the application server remotely calls through RPC. Therefore, the host name should theoretically be consistent with the host account of the secure session key between the application server and the domain server.

Therefore, as long as any host in the domain can obtain the authentication information of the previous user and application server, it can initiate NETLOGON to the domain server to obtain the SessionKey, so that the data signature between the application server and the client user can be forged to meet the man-in-the-middle attack.

2.2 实战

Use smbrelayx in impack to perform man-in-the-middle attacks. If the target machine forces SMB signatures, the module will use NETLOGON to directly obtain the sessionKey for signatures.

environment:

攻击机（非域内主机）: 192.168.68.24

客户端服务器（被中间人攻击的服务器）: SERVER-2008

目标主机、应用服务器: Windows Server 2012 - 172.16.147.130

information

If it is a non-domain host, you need to specify the hash of any host in the current domain and specify the domain control IP.

1

python2 smbrelayx.py -h 172.16.147.130 -machine-account pentest-ad/SERVER-2008$ -machine-hashes bab7079288e58b875c46601f274001e6:bab7079288e58b875c46601f274001e6 -domain 172.16.147.130

You can use the -e parameter to specify the file to be executed by the target machine. If it is not specified, the hash of the target machine under the default dump, and -c can specify the command to be executed.

2.3 防御

Impact Windows Server 2012 and below, no impact on personal PC

Microsoft released patch MS15-027, patched this vulnerability, checked the two fields of ComputerName and NetBIOS, and signed verification of this message authentication block.

3 CVE-2019-1019

After the CVE-2015-0005 vulnerability is patched, the domain server will verify that the two fields of ComputerName and NetBIOS are consistent. However, if the ComputerName field is missing, the domain server accepts it and does not perform integrity verification (MIC) on the authentication message.

3.1 原理

Since a lot of information in the NTLM_AUTHENTICATION message, including the ComputerName field information, is copied and obtained from NTLM-CHALLENGE, the attacker can intercept the challenge information sent to the client by the application server and delete the ComputerName field. After the client receives the challenge information, the subsequent NTLM_AUTHENTICATION will not contain the field because the ComputerName field cannot be found.

Through configuration, NTLM can enable integrity verification, that is, add a field MIC (Message Integrity Code) to the authentication message. This is a function that is enabled by default in the new version. MIC is used to protect the integrity of NTLM authentication packets, i.e. NTLM_CHALLENGE.

MIC achieves integrity protection through the HMAC_MD5 algorithm based on the SessionKey session key. In previous analysis, we had the ability to obtain this SessionKey, so we can recalculate the MIC after modification.

The client initiates NTLM_NEGOTIATE to the application server and is captured by the replay attacker

The attacker forwards NTLM_NEGOTIATE to the real application server, which is our target of attack

The application server returns an NTLM_CHALLENGE to the attacker

Replay attacker removes the ComputerName field in NTLM_CHALLENGE and forwards it to the client

The client receives the modified NTLM_CHALLENGE and constructs NTLM_AUTHENTICATE based on this information, sending the authentication information to the playback attacker. At this time, the authentication message already contains the MIC

The replay attacker initiates a NETLOGON session request to the domain server. Because the ComputerName field is missing in the authentication message, the domain server does not perform integrity verification, recognizes the authentication message, and returns a Sessionkey

Replay attacker recalculates the MIC and sends a new NTLM_AUTHENTICATE to the application server

After the application server receives NTLM_AUTHENTICATE, it checks the MIC and then initiates a NETLOGON session request to the domain server. The domain server returns a successful authentication response, which contains the session key, which is the same as the session key in step 6.

The replay attacker successfully established a signed session with the application server and obtained the client user's access rights on the application server. If the client user is an administrator and the application server is a domain server, the replay attacker has administrator rights (client) on the domain server (application server).

3.2 实战

Use ntlmrelayx.py in impacket to perform man-in-the-middle attacks, using the -remove-target parameter.

1

python3 ntlmrelayx.py -h 172.16.147.130 -remove-target --enum-local-admins -smb2support -machine-account pentest-ad/SERVER-2008$ -machine-hashes bab7079288e58b875c46601f274001e6:bab7079288e58b875c46601f274001e6 -domain 172.16.147.130

4 CVE-2019-1040

4.1 原理

After installing the patch for CVE-2015-0005, the system checks whether the name of the NetBIOS and the ComputeName parameter of the NetrLogonSamLogonWithFlags function are the same. Therefore, the previous method of obtaining SessionKey by modifying ComputerName failed.

However, if NetBIOS in the authentication information is deleted or disappeared, the authentication server will no longer perform the previous name verification, which means that we can modify the ComputerName parameter to achieve the effect of the CVE-2015-0005 vulnerability and obtain the session key.

In this case, such attacks can be blocked by configuring "the server rejects any requests without NetBIOS". However, in NTLMv1, this field is not available in the NTLM message block structure, so this kind of attack is difficult to eliminate through strategies or patches in NTLMv1 scenarios, and it still has great vulnerability.

When the client and the server negotiate in NTLM, they use the NegotiatFlags (i.e. the msvAvFlags field) in the figure below to identify whether MIC is needed to protect the integrity of the session, see the red box mark in the figure below.

When SMB clients are certified for NTLM, the default settings require MIC for integrity verification protection. Intuitively speaking, there are generally several ways to fight against MIC. One is to modify the MIC, the prerequisite is to obtain the session key. As we saw earlier: If a protection policy is configured, the session key cannot be obtained by deleting NetBIOS; the other is to directly discard the MIC. At this time, the flag bits in the msVAvFlags field need to be modified as well as version information, because some versions must have MIC by default.

The definition of the msvAvFlags field, check the Microsoft Knowledge Base. If it is0x00000002, it means that the client uses MIC to protect the integrity of the data packets.

The msvAVFlags field is signed protected by the user's NTLM hash value, so the msvAVFlag field cannot be modified. It's very magical in reality. Domain servers don't really care whether the MIC and Version information exist. If it exists, it will be verified, and if it does not exist, it will not be verified.

The above attack method can be blocked through configuration, that is, if the msvAVFlags field indicates that there is MIC integrity verification, there must be MIC and verification. However, in actual application scenarios, there are still some hidden dangers, such as FireFox in MacOS and Linux systems do not add MICs by default.

4.2 实战

Use ntlmrelayx.py in impacket to perform man-in-the-middle attacks, using the --remove-mic parameter.

1

python3 ntlmrelayx.py -h ldap://172.16.147.130 --remove-mic --escalate-user commonuser -smb2support -machine-account pentest-ad/SERVER-2008$ -machine-hashes bab7079288e58b875c46601f274001e6:bab7079288e58b875c46601f274001e6 -domain 172.16.147.130

5 EPA-Bypass

5.1 原理

EPA (Enhanced Protection for Authentication), binds authentication packets to a secure channel, mainly used to protect Windows integrated authentication services, such as OWA, ADFS, and LDAPS.

The specific approach is to add a field Channel Bindings to the authentication message. According to Microsoft's instructions, Channel Bindings is a MD5 Hash value, representing the MD5Hash value of the structure gss_channel_bindings_struct.