Understanding the AD CS with NTLM relaying attack

Active Directory NTLM Relaying Attack

Understanding the AD CS with NTLM relaying attack

Active Directory Certificate Services (AD CS) is a Microsoft Windows server role that provides a robust and customizable public key infrastructure (PKI) framework. This article will help you understand NTLM Relaying Attack and how to prevent it.

Active Directory Certificate Services

Active Directory Certificate Services (AD CS) is a Microsoft Windows server role that provides a robust and customizable public key infrastructure (PKI) framework. PKI is a technology used to manage digital certificates and public-private key pairs to secure communication, authenticate users, and ensure the integrity of data. Active Directory Certificate Services (AD CS) presents various security risks for organizations. These encompass issues like mismanaged certificates causing communication disruptions, compromised keys leading to unauthorized access and data decryption, vulnerabilities arising from weak encryption configurations, potential man-in-the-middle attacks exploiting certificate issuance, unauthorized users abusing lax access controls for nefarious certificate requests, risks tied to insecure certificate templates, credential theft from compromised components, denial of service attacks hampering certificate services and misconfigured permissions permitting unauthorized access. Additional Active Directory security articles here.

Exploiting the Vulnerability

The attack shown below utilizes the man-in-the-middle portion and loops in another vulnerability known publicly as “PetitPotam. PetitPotam is a security flaw that impacts Windows systems leveraging the Microsoft Windows RPCSS service.  Exploiting this vulnerability involves coercing the system into initiating a remote NTLM authentication exchange to a chosen target.

By combining these attack methods, an attacker can coerce a domain controller account to authenticate to their machine then reflect the credential to an identified certificate authority. If the certificate authority has web enrollment services enabled, they in turn receive a certificate for the domain controller’s machine account

Attack Path

As shown below in Figure 1, the attack starts by obtaining access to a domain credential, followed by identifying a certificate authority using web enrollment services. Ntlmrelayx is then started, pointing at the certificate authority using the “DomainConroller” template and “adcs” flag.BLOE

NTLM Relay Attack
Figure 1

With ntlmrelayx patiently waiting for a machine to authenticate to it, PetitPotam is then launched using the compromised credential, which in this case is “testmctesty”. The attack is successful. (Figure 2)

Attack path to Domain Admin
Figure 2

Going back to ntlmrelayx we now see a Base64 certificate for the domain controller’s machine account. (Figure 3)

Offensive Security- Understanding Active Directory Exploit
Figure 3

We decode the Base64 certificate and preserve it as a private key. Utilizing this newly acquired private key, we proceed to request a TGT file. A TGT, acquired from Kerberos upon successful authentication, empowers us to solicit supplementary tickets known as service tickets. These service tickets bestow access to particular resources or services, all without necessitating the user to furnish their credentials repeatedly. (Figure 4)

Hacking Active Directory
Figure 4

With the TGT in hand we search for a privileged account throughout the domain. With a target account we request a service ticket that is valid on the host for which you’ve obtained a certificate. (Figure 5)

Exploiting Active Directory
Figure 5

Upon successfully obtaining a certificate for the host, which incidentally operates as a domain controller, we gain the means to actively compromise the entire domain. Subsequently, we can advance to secure the domain’s NTDS.dit file, which centrally stores the NTLM hashed passwords for all accounts within the domain. (Figure 6)

NTLM Relay Attack
Figure 6

AD CS + NTLM Relay Attack Summary

Factors that make an Active Directory (AD) environment susceptible to an AD CS + NTLM relay attack are:

  • ADCS is configured to allow NTLM authentication
  • NTLM authentication is not protected by EPA or SMB signing
  • ADCS is running either Certificate Authority Web Enrollment or Certificate Enrollment Web Service

Recommendations

  • Disabling NTLM Authentication on Windows domain controllers.
  • Disabling NTLM on any AD CS Servers in your domain
  • Disabling NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.
  • Disabling “Certificate Authority Web Enrollment” and “Certificate Enrollment Web Service” services.

References

Contact Redbot Security

Related Articles