14 DAY TRIAL // A proof-of-concept (PoC) attack has been crafted by a cybersecurity firm for a design flaw in the Active Directory service, which would allow an attacker to modify the victim’s password even if some protection measures are in place.
Security researchers from Israeli firm Aoroto found that using a freely available penetration tool, an attacker could steal an authentication component from an employee’s device.
The component is called NTLM hash, which relies on weak cryptography, acts as a password replacement for the network services and is available on any device used to connect to the resources of the enterprise.
The NTLM and Kerberos protocols are the ones used for the single sign on (SSO) authentication process employed by the Active Directory.
NTLM is quite old and is no longer compatible with post-Windows XP SP3 versions, which rely on Kerberos instead. Kerberos works with a stronger encryption, RC4-HMAC, and more secure ciphers, such as AES.
However, backward compatibility requires NTLM to still be enabled, and the RC4-HMAC algorithm in Kerberos accepts the NTLM hash as its key, thus making the client identity recognition vulnerable on the newer Windows operating systems.
It is worth noting that AES algorithm, which is turned on by default in Kerberos, does not accept NTLM hash as access key.
Aorato says in a blog post that this type of attack, called “pass-the-hash” (PtH), is totally invisible because it “is not logged in system and 3rd party logs - even those that specifically log NTLM activity. As a result, no alerts, or forensic data, ever indicate that an attack takes place.”
Once validated by the Active Directory, the perp is free to access restricted services, as well as modify the password of the targeted victim.
Microsoft is aware of this design flaw and, when contacted in relation to the disclosure of the vulnerability, they told Aorato that this was a “well known” issue.
Tal Be'ery, Aorato's vice president of research, said that “Kerberos supersedes NTLM due to security issues. Accordingly, there shouldn’t be a dependence of Kerberos on NTLM.”
Despite being a widely known flaw by design, about 95% of the Fortune 1000 companies have an Active Directory deployment, which puts them on the map of potential victims.
“Millions of businesses are blindly trusting Active Directory as a foundation to their overall IT infrastructure. The unfortunate truth is that this trust is naively misplaced, leaving the vast majority of Fortune 500 enterprises and employees susceptible to a breach of personal and company data.
“Until enterprises acknowledge the inherent risks associated with relying on Active Directory and build a strategy to mitigate risks, we will continue to see attackers walking off with valuable information undetected,” said Be'ery.
Aorato proposes a set of external mitigation measures that include detection of authentication protocol anomalies, monitoring clients’ unusual access of resources, limiting the possibilities to steal the NTLM hash, or updating the systems with the newest patch.