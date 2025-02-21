Figure 5 – NNS handshake structure

The server then sends back an NNS NTLMSSP_Challenge message, which contains a challenge that is used to build the NTLMSSP_AUTH as a challenge-response to send back to the server for authentication. After successfully authenticating, the server then sends back a final NNS handshake message (0x15) indicating the authentication’s status. Something of note is that we quickly learned that ADWS was not vulnerable to NTLM relay attacks due to message signing being required server-side.

After the NMF connection has been successfully upgraded to NNS and the client has authenticated to the server, the client sends the NMF Preamble End message (0xC), telling the server that the preamble has been completed. The server responds with an NMF Preamble Acknowledgement message (0xB), acknowledging the preamble is finished and the client can now send data.

As mentioned earlier, data sent to the server needs to be structured in the NBFSE format, as defined by the specification here. NBFSE is used to encode or serialize SOAP data to be sent over NMF. NBFSE is an extension of NBFS (.NET Binary Format: SOAP Data Structure), which itself is an extension of NBFX (.NET Binary Format: XML Data Structure), requiring us to implement all three XML formatting specifications. NBFSE requires the usage of an in-band dictionary for data reduction procedures, but we found this requirement can be bypassed by sending messages with a blank in-band dictionary.

After implementing NBFSE, our focus shifted to understanding how a client interacts with ADWS after completing the authentication process. Originally, we wanted to query LDAP, so the first data message we implemented was the ADWS Enumeration message. This message includes the LDAP query that should be used by the server to query the local LDAP service, as well as a list of LDAP attributes that should be returned for each object. Additionally, each enumeration message defines the “Enumerate” Action and the “Enumeration” endpoint. Note that each message from this point on is a full SOAP data message; for example, an Enumeration message is shown below: