Active Directory NTLM Relaying Attack
Understanding the AD CS with NTLM relaying attack
Active Directory Certificate Services (AD CS) is a Microsoft Windows server role that provides a robust and customizable public key infrastructure (PKI) framework. This article will help you understand NTLM Relaying Attack and how to prevent it.
Active Directory Certificate Services
Active Directory Certificate Services (AD CS) is a Microsoft Windows server role that provides a robust and customizable public key infrastructure (PKI) framework. PKI is a technology used to manage digital certificates and public-private key pairs to secure communication, authenticate users, and ensure the integrity of data. Active Directory Certificate Services (AD CS) presents various security risks for organizations. These encompass issues like mismanaged certificates causing communication disruptions, compromised keys leading to unauthorized access and data decryption, vulnerabilities arising from weak encryption configurations, potential man-in-the-middle attacks exploiting certificate issuance, unauthorized users abusing lax access controls for nefarious certificate requests, risks tied to insecure certificate templates, credential theft from compromised components, denial of service attacks hampering certificate services and misconfigured permissions permitting unauthorized access. Additional Active Directory security articles here.
Exploiting the Vulnerability
The attack shown below utilizes the man-in-the-middle portion and loops in another vulnerability known publicly as “PetitPotam. PetitPotam is a security flaw that impacts Windows systems leveraging the Microsoft Windows RPCSS service. Exploiting this vulnerability involves coercing the system into initiating a remote NTLM authentication exchange to a chosen target.
By combining these attack methods, an attacker can coerce a domain controller account to authenticate to their machine then reflect the credential to an identified certificate authority. If the certificate authority has web enrollment services enabled, they in turn receive a certificate for the domain controller’s machine account
Attack Path
As shown below in Figure 1, the attack starts by obtaining access to a domain credential, followed by identifying a certificate authority using web enrollment services. Ntlmrelayx is then started, pointing at the certificate authority using the “DomainConroller” template and “adcs” flag.BLOE
With ntlmrelayx patiently waiting for a machine to authenticate to it, PetitPotam is then launched using the compromised credential, which in this case is “testmctesty”. The attack is successful. (Figure 2)
Going back to ntlmrelayx we now see a Base64 certificate for the domain controller’s machine account. (Figure 3)
We decode the Base64 certificate and preserve it as a private key. Utilizing this newly acquired private key, we proceed to request a TGT file. A TGT, acquired from Kerberos upon successful authentication, empowers us to solicit supplementary tickets known as service tickets. These service tickets bestow access to particular resources or services, all without necessitating the user to furnish their credentials repeatedly. (Figure 4)
With the TGT in hand we search for a privileged account throughout the domain. With a target account we request a service ticket that is valid on the host for which you’ve obtained a certificate. (Figure 5)
Upon successfully obtaining a certificate for the host, which incidentally operates as a domain controller, we gain the means to actively compromise the entire domain. Subsequently, we can advance to secure the domain’s NTDS.dit file, which centrally stores the NTLM hashed passwords for all accounts within the domain. (Figure 6)
AD CS + NTLM Relay Attack Summary
Factors that make an Active Directory (AD) environment susceptible to an AD CS + NTLM relay attack are:
- ADCS is configured to allow NTLM authentication
- NTLM authentication is not protected by EPA or SMB signing
- ADCS is running either Certificate Authority Web Enrollment or Certificate Enrollment Web Service
Recommendations
- Disabling NTLM Authentication on Windows domain controllers.
- Disabling NTLM on any AD CS Servers in your domain
- Disabling NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.
- Disabling “Certificate Authority Web Enrollment” and “Certificate Enrollment Web Service” services.
References
- https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
- https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/
- https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/
- https://github.com/topotam/PetitPotam
- https://github.com/dirkjanm/PKINITtools
- https://github.com/fortra/impacket
Contact Redbot Security
Related Articles
-
Offensive Security
What is Offensive Security? Discover Offensive Security and learn how... -
What is Social Hacking?
Social hacking is an attack on the human operating system,... -
What You Need to Know About PCI Penetration Testing
A pen test, on the other hand, is a manual... -
What is Penetration Testing (pen-testing)?
Penetration testing (pen-testing) is the art and science of... -
Our Nation Under Attack
The basic necessities of life; water, power and transportation are... -
Manual Penetration Testing – Manual Testing vs Automated Testing
Manual Penetration Testing is essential for critical infrastructure. Scanning... -
What is Penetration Testing & Its Different Types
Manual Penetration Testing is essential for critical infrastructure. Scanning... -
Common cybersecurity issues that are easy to fix
Most companies know that critical vulnerabilities can be resolved simply...
Redbot Social