27 May 2024

Top five vulnerabilities and how to avoid them: Relaying

This blog explores recent research on NTLM relay attacks, which exploit the netNTLMv1/2 protocol used for Windows domain authentication. It explains how attackers can intercept authentication exchanges through man-in-the-middle attacks or by tricking users into connecting to rogue servers. This enables them to relay authentication requests, impersonate victims, and achieve remote code execution, information disclosure, and privilege escalation.

A lot of fantastic research has been done regarding NTLM relay attacks recently. Windows domains rely heavily on the netNTLMv1/2 protocol to authenticate users against other Windows hosts on the domain hosting network services including SMB, HTTP, LDAP, MSSQL, and IMAP to name a few.  

By inserting themselves in the middle of the authentication exchange between the client and the server, either by conducting man in the middle attacks or inducing a user or service to authenticate to a rogue authentication server, attackers can relay the authentication request onto other services; impersonating the victim, resulting in remote code execution, information disclosure and often privilege escalation. 

What to do 

The only way of completely solving NTLM relay vulnerabilities is to disable NTLM authentication entirely and use Kerberos. However, if that is not possible there are a number of configuration changes you can make to harden the various protocols that accept NTLM authentication requests and make conducting relaying attacks much harder to perform. 

SMB Signing 

SMB Signing should be enabled on all Windows Hosts (Servers and Workstations). 

Group Policy: 

  1. Start -> Run -> gpedit.msc 
  2. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options 
  3. Set "Microsoft network client" to: "Digitally sign communications (always)" 
  4. Set "Microsoft network server" to: "Digitally sign communications (always)" 

There is still a possibility for an attacker to downgrade the connection to accept unsigned authentication. This can be fixed by implementing the change via the Registry. 

  1. Start -> Run -> regedit.exe 
  2. HKEY_LOCAL_MACHINE -> System -> CurrentControlSet -> Services -> LanmanServer (or LanmanWorkStation for client's) -> Parameters 
  3. Set "EnableSecuritySignature" to 1 (enable) 
  4. Set "RequireSecuritySignature" to 1 (enable) 

Please note that enabling SMB signing will add an overhead to SMB traffic, which, depending on the setup, may decrease network performance. 

LDAP Signing 

Enable LDAP Signing on all Domain Controllers 

Via Group Policy 

  • Select ”Default Domain Controller Policy” > “Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings” > “Local Policies” , and then select Security Options. 
  • Right-click  Domain controller: LDAP server signing requirements, and then select Properties. 
  • In the Domain controller: LDAP server signing requirements Properties dialog box, enable Define this policy setting, select Require signing in the Define this policy setting list, and then select OK. 
  • In the Confirm Setting Change dialog box, select Yes. 

More Information: 

LDAP Channel Binding 

Ensure the security update is installed: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563 

Then the following registry key should be set on all Domain Controllers: 

  • Path: HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/NTDS/Parameters 
  • Setting: LdapEnforceChannelBinding 
  • Value: 2 

1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility, however, this may enable an attacker to spoof the version of Windows so that an unsupported version is presented, therefore bypassing these protections. Therefore we recommend the following value instead. 

2 indicates enabled, always. All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so. 

More Information: 

CVE-2019-1040

Ensure security update for CVE-2019-1040 "Windows NTLM Tampering Vulnerability" to prevent certain relaying attacks known as "drop the MIC". 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1040 

CVE-2020-1113 

Ensure the security update for CVE-2020-1113 "Windows Task Scheduler Security Feature Bypass Vulnerability" is installed to help prevent NTLM relay attacks the leverage RPC 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1113