The Value of the NTLM Protocol
NTLM protocol is supported in Windows through many interfaces, as they have authentication attributes. In this case, NTLM would expose much helpful information for both attackers and defenders. NTLM is based on individual protocols. During the interaction with Windows authentication, NTLM authentication often gives many system information, such as OS version, hostname, version number, etc.
- The attacker can obtain the information through NTLM; The hostname can also be used in a brute-force attack, etc.
- The defender can directly get the information of the attacker’s server through this information, which is of great help in collecting incident detail and identifying attackers.
This article will introduce the NTLM protocol through packet capture and how FOFA integrated NTML flow information.
What is NTLM?
The NT LAN Manager (NTLM) Authentication Protocol is used for authentication between clients and servers. These extensions provide additional capability for authorization information, including group memberships, interactive logon information, message integrity, and constrained delegation and encryption supported by Kerberos principals.
For Microsoft’s official description:
NTLM authentication is a family of authentication protocols encompassed in the Windows Msv1_0.dll. The NTLM authentication protocols include LAN Manager versions 1 and 2 and NTLM versions 1 and 2. The NTLM authentication protocols authenticate users and computers based on a challenge/response mechanism that proves to a server or domain controller that a user knows the password associated with an account.
Notes: NTLM asks users to prove their identity to a server for them in order to use the services provided by that server.
The NTLM protocol is still maintained on Windows systems because:
- Strong compatibility with older clients;
- NTLM authentication is still supported and must be used for Windows authentication on systems configured as workgroup members.
- NTLM authentication is used for local login authentication on non-domain controllers.
How to extract NTLM information?
Let’s start by analyzing the NTLM communication process.
NTLM uses the Challenge/Response process for user authentication. This process includes three steps.
1. client → negotiate message.
2. server → Challenge message.
3. Client → Authenticate message.
Step1: NEGOTIATE_MESSAGE
The case is based on 5985 WinRM.
Packet capture to view the corresponding information as follows.
Step2: CHALLENGE_MESSAGE
The server responds with a message which contains a list of features that the server supports and agrees to; it contains the server-generated Challenge.
This message includes Target_Name, Product_Version, OS, etc.
The hostname and operating system version can be extracted very accurately.
Packet capture to view the corresponding information as follows.
At this step, we have obtained the desired information. This article only talks about the help of NTLM for information collection. The next step is to give you an example of NTLM information extraction.
NTLM Extraction for WinRM
Selection
Through the introduction of NTLM, we use FOFA to find the related assets of Microsoft or NTLM.
FOFA Query: banner=”ntlm” || banner=”microsoft”
Through the search results, we can see the number of assets. We need to filter further from the port ranking out for analysis.
We can see that the TOP5 ports are: 3389, 80, 135,443,5985.
Port 5985 has 5,382,552 results. It may be the default port of a Microsoft product using the search engine. After analysis, it was found to be the default port of WinRM.
WinRM Introduction
Windows Remote Management is one component of the Windows Hardware Management features that manage server hardware locally and remotely.
WinRM 2.0: The default HTTP port is 5985, and the default HTTPS port is 5986.
Notes: WinRM can manage server hardware locally and remotely.
According to the previous introduction of the NTLM interaction process:
1. First, we send **Authorization: Negotiate TlRMTVN…… AAAADw==** Performs message negotiation.
2. The server responds with a message like this:
WWW-Authenticate: Negotiate
TlRMTVNTUAACAAAAHgAeADgAAAAF……HVY/dgBAAAAAA==
The server returns with base64 encoding, and we decode the Challenge message to get the Target_Name, Product_Version, OS, etc.
Notes: This NTLM interaction process has been integrated in FOFA, and a direct search based on this statement will query the public NTLM protocol.
FOFA Query:
(banner=”ntlm” || banner=”microsoft”) && (port=”5985" || port=”5986")
You can directly see the current machine’s OS Version, version number, hostname, etc., on FOFA.
Practical Demonstration
The NTLM series can be found based on different protocols, such as IMAP, HTTP, MySQL, etc. Let’s try to search on FOFA.
FOFA Query: banner=”ntlm info”
Advanced: Asset Management via NTLM protocol
The extracted names can be used to associate assets.
Country/Region, Organization, IP Address, Hostname/Version, etc.
FOFA Query: banner=”WIN-4QDI2DJTFMT”
At the End
NTLM provides more system information for windows assets; we will continue to dig deeper and welcome you to develop more exciting uses based on this protocol.
FOFA already supports NTLM information extraction based on RDP, DCERPC, WinRM, IMAP, IMAPS, HTTP, SMTP, etc. There are still many protocols waiting for us to do, such as Telnet, POP3, etc. We will continue to follow up.
References:
Contact us:
Website: https://fofa.info
Twitter: https://twitter.com/fofabot
Telegram: https://t.me/+-5xC1wYcwollYWQ1
Email: service@baimaohui.net
