What if we were to tell you that anyone connected to your network could simply ask other users to sign into their system, then relay that sign-in and assume the privileges of that user?
Further, what if this wasn’t limited to users who had an account, but anyone who could connect to the network?
Unfortunately for a lot of organizations that is the case; especially those using a Microsoft Windows and Active Directory-based infrastructure.
The process works like this:
- An attacker will conduct a stealthy scan of SMB, and possibly LDAP services on the network.
-
- In most cases, Windows workstations accept incoming SMB requests are vulnerable to these attacks.
- In some cases, Domain Controllers may not mitigate these attacks for LDAP connections – this could permit an attacker direct access to the database behind Active Directory.
-
- An attacker connected to the network runs a tool to respond to all multicast name resolution requests, including protocols such as …
-
- WPAD
- LLMNR
- NBT-NS
- MDNS
-
… all of which have been enabled by default on Windows systems for many years.
-
-
- or sets up a rogue IPv6 DHCP server and assuming the role of the default DNS server
-
(Multicast name resolution is akin to shouting, “Where is my bank?” in Time Square and blindly trusting the first answer – it might be right, but the blind trust could lead you into some risky situations!)
- A user or user’s system takes an innocuous action such as:
-
- Browsing to a file share
- Browsing to an intra or internet page
- Simply using a computer on a network not managing IPv6
-
- The attacker poisons the request by responding with their own address, and requesting a login attempt from the user
- The victim user attempts to log in, sending their hashed password.
- The attacker will relay this authentication to a system identified as a target. Depending on the service attacked, access will vary but the goal is to get a user with administrative rights on the target.
In some cases, the last step above is enough to escalate the attacker from having a wired or wireless network connection to having administrative access over the entire domain and every computer within it. In other cases, the attacker may simply have administrative access to one or a subset of systems, which they can use to escalate privileges using additional techniques.
There are a few additional branching paths that an attacker could take during this process that are important to note:
- On Step 1: If no systems vulnerable to NTLM Relay are detected, the attacker may still proceed and instead of relaying, simply capture as many hashed passwords as possible and break them offline using consumer grade GPU compute power with dictionary or brute force based attacks to get account access.
- On Step 2: If no multicast name resolution is available and IPv6 is managed the attacker can look at a few other options:
-
- Man-in-the-middle via ARP cache poisoning
- Triggering authentication through phishing or other social engineering techniques
- Any other techniques to trigger or intercept authentication not yet identified
-
- On Step 3: If no access is gained from relaying, the attacker may still try to break this password offline using previously described techniques.
Our next blog post will review some steps you can take to mitigate these risks!
