Understanding the AD CS with NTLM relaying attack

Active Directory NTLM Relaying Attack

Understanding the AD CS with NTLM relaying attack

Active Directory Certificate Services (AD CS) is a Microsoft Windows server role that provides a robust and customizable public key infrastructure (PKI) framework. This article will help you understand NTLM Relaying Attack and how to prevent it.

Table of Contents

Active Directory Certificate Services

Active Directory Certificate Services (AD CS) is a Microsoft Windows server role that provides a robust and customizable public key infrastructure (PKI) framework. PKI is a technology used to manage digital certificates and public-private key pairs to secure communication, authenticate users, and ensure the integrity of data. Active Directory Certificate Services (AD CS) presents various security risks for organizations. These encompass issues like mismanaged certificates causing communication disruptions, compromised keys leading to unauthorized access and data decryption, vulnerabilities arising from weak encryption configurations, potential man-in-the-middle attacks exploiting certificate issuance, unauthorized users abusing lax access controls for nefarious certificate requests, risks tied to insecure certificate templates, credential theft from compromised components, denial of service attacks hampering certificate services and misconfigured permissions permitting unauthorized access. Additional Active Directory security articles here.

Exploiting the Vulnerability

The attack shown below utilizes the man-in-the-middle portion and loops in another vulnerability known publicly as “PetitPotam. PetitPotam is a security flaw that impacts Windows systems leveraging the Microsoft Windows RPCSS service.  Exploiting this vulnerability involves coercing the system into initiating a remote NTLM authentication exchange to a chosen target.

By combining these attack methods, an attacker can coerce a domain controller account to authenticate to their machine then reflect the credential to an identified certificate authority. If the certificate authority has web enrollment services enabled, they in turn receive a certificate for the domain controller’s machine account

Attack Path

As shown below in Figure 1, the attack starts by obtaining access to a domain credential, followed by identifying a certificate authority using web enrollment services. Ntlmrelayx is then started, pointing at the certificate authority using the “DomainConroller” template and “adcs” flag.BLOE

NTLM Relay Attack
Figure 1

With ntlmrelayx patiently waiting for a machine to authenticate to it, PetitPotam is then launched using the compromised credential, which in this case is “testmctesty”. The attack is successful. (Figure 2)

Attack path to Domain Admin
Figure 2

Going back to ntlmrelayx we now see a Base64 certificate for the domain controller’s machine account. (Figure 3)

Offensive Security- Understanding Active Directory Exploit
Figure 3

We decode the Base64 certificate and preserve it as a private key. Utilizing this newly acquired private key, we proceed to request a TGT file. A TGT, acquired from Kerberos upon successful authentication, empowers us to solicit supplementary tickets known as service tickets. These service tickets bestow access to particular resources or services, all without necessitating the user to furnish their credentials repeatedly. (Figure 4)

Hacking Active Directory
Figure 4

With the TGT in hand we search for a privileged account throughout the domain. With a target account we request a service ticket that is valid on the host for which you’ve obtained a certificate. (Figure 5)

Exploiting Active Directory
Figure 5

Upon successfully obtaining a certificate for the host, which incidentally operates as a domain controller, we gain the means to actively compromise the entire domain. Subsequently, we can advance to secure the domain’s NTDS.dit file, which centrally stores the NTLM hashed passwords for all accounts within the domain. (Figure 6)

NTLM Relay Attack
Figure 6

AD CS + NTLM Relay Attack Summary

Factors that make an Active Directory (AD) environment susceptible to an AD CS + NTLM relay attack are:

  • ADCS is configured to allow NTLM authentication
  • NTLM authentication is not protected by EPA or SMB signing
  • ADCS is running either Certificate Authority Web Enrollment or Certificate Enrollment Web Service

Recommendations

  • Disabling NTLM Authentication on Windows domain controllers.
  • Disabling NTLM on any AD CS Servers in your domain
  • Disabling NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.
  • Disabling “Certificate Authority Web Enrollment” and “Certificate Enrollment Web Service” services.

References

Picture of Kyle Thompson, Sr. Penetration Tester at Redbot Security

Kyle Thompson, Sr. Penetration Tester at Redbot Security

Kyle brings over seven years of experience in cybersecurity focusing on network penetration testing, social engineering, and physical security assessments. Kyle attended Ferris State University, graduating with a bachelor's degree in "Information Security and Intelligence" and actively holds Security+ and Network+ certifications. Kyle was the fastest in his previous company's history to work up to go from a junior-level penetration tester to a senior.

Kyle helps clients uncover hidden exposures and gain fresh insights that improve their security posture by keeping up to date with cutting edge attacks.

Contact Redbot Security

Pen-Test Project Quote

Penetration Testing Service Provider

Our expert team will help scope your project and provide a fast and accurate project estimate.

Contact Redbot Security

Related Articles

Ransomware Nightmare

Android Malware

The likelihood of a cyber attack on a mobile platform is significantly high, but how difficult is it for a malicious actor to generate malware? You might be surprised.

Read More »
How to prevent active directory attack

AS-REP Roasting

Kerberos Authentication Service Response (AS-REP) Roasting, a technique similar to Kerberoasting, has gained prominence as a method for attackers to compromise Active Directory (AD) authentication systems.

Read More »
Common Attacks

Microsoft Windows Laptop Security

Malicious actors prey on weak configurations like locusts. Microsoft, despite knowing that their operating systems, have inherent weaknesses have done little to enhance their initial security outside of remediation for publicly known vulnerabilities.

Read More »
Red Team vs Penetration Testing

Evolving Your Cybersecurity: From Penetration Testing to Red Teaming

While penetration testing is valuable in identifying technical vulnerabilities, red teaming provides a more holistic assessment by simulating realistic threat scenarios. By embracing red teaming, organizations can bolster their defenses, uncover weaknesses, and stay one step ahead of sophisticated adversaries.

Read More »
Pen Testing Industrial Control Systems

ICS/SCADA Penetration Testing: Where to Start

Becoming proficient in Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) network testing can appear daunting as there are fewer learning resources.

Read More »

Additional Articles
that you may find helpful

Security Management Platform

Cymbiotic is a revolutionary, scalable platform providing unparalleled security management: on-demand testing, secure reporting, and remediation tracking, while also acting as an advanced attack surface management platform ... for every network.

Pen-Test Project Quote

Penetration Testing Service Provider

Our expert team will help scope your project and provide a fast and accurate project estimate.

Contact Redbot Security
Show Buttons
Hide Buttons