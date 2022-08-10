Before we can understand what can be done with these newly acquired credentials, we must first look at a high-level overview of how Net-NTLM works. Net-NTLM is known as a challenge-response authentication protocol, meaning during authentication, a question the server already has the answer to is given to the client; if the client answers correctly, they are authenticated. In this case, the question is: can you encrypt and then proceed to hash a random sequence of numbers using the user’s credentials as the encryption key? This process follows the following steps:

A user inputs their username and password, and the inputted password is hashed using the NT hashing algorithm. The client sends a request for authentication. The server generates a random sequence of numbers to use as a challenge. The server generates a solution to its challenge by fetching the user’s NT hashed password from its database, encrypting the challenge, and then hashing the result. The challenge is sent to the client. The client encrypts the challenge using the NT hashed password inputted by the user as the key and then hashes the result. This is then sent back to the server. The server receives the client’s answer and compares it to its own. If they match, authentication is successful.

Now that we understand Net-NTLM a bit more. Let’s see what can be done using our previously intercepted credentials. One option is to perform a password cracking attack, which may fail due to the complexity of the password. You may be thinking about passing this hash, but this is impossible because we have intercepted a Net-NTLM authentication hash, not an NT hash. One native vulnerability in this protocol is known as a Net-NTLM relay attack. It allows threat actors to coerce authentication and then relay each request as it occurs to a target. If successful, it may result in a threat actor gaining immediate control over a machine if that user had local administrator permissions.

Let’s continue our previous example to understand what a Net-NTLM relay attack is. An attacker heard our victim asking for the location of a shop and successfully redirected the unsuspecting client to their fake store. In this example, the victim pays using their cell phone, which generates a unique time-limited code that can be used to withdraw money from the account once. Upon checkout, the attacker relays the generated code and makes one purchase using the victim’s account.

A Net-NTLM relay attack works in the same fashion. When we originally coerced our authentication, we had the victim authenticate to our device. Instead, we could have forwarded their login process to another machine that will see the login attempt as being established by the attacker.

To protect against Net-NTLM relay and other machine-in-the-middle vulnerabilities, Microsoft introduced SMB signing over two decades ago in Windows Server 2000. This addition to the Net-NTLM authentication protocol helped ensure that messages were not tampered with while enroute to the server. In theory, this attack vector should have been squashed long ago. In practice, all versions of Windows besides Windows server do not enable SMB signing by default. As a result, most organizations are unaware that their default deployment of this operating system is vulnerable to an attack from two decades ago.

Let us continue with our scenario by resuming with you analyzing the information from the recon phase, which reveals that most hosts do not have SMB signing enabled. Using this knowledge, you start your authentication coercion attacks. Any coerced credentials are then sent to a tool currently configured to relay them to the vulnerable servers. After three minutes of runtime, you relay a user with local administrator privileges over a device.