Microsoft’s software for brokering network access, Active Directory, has a critical design flaw, but the software giant said the issue is old news and they have defenses in action.
Israeli security firm, Aorato, used public information to craft a proof-of-concept attack that shows how an attacker can change a person’s network password, potentially allowing access to other sensitive systems, said Tal Be’ery, vice president of research.
About 95 percent of Fortune 500 companies use Active Directory, making the problem “highly sensitive,” Be’ery said in a blog.
The company’s research focuses on NTLM, an authentication protocol Microsoft has been trying to phase out for years. All Windows versions older than Windows XP SP3 used NTLM as a default, and newer Windows versions are compatible with it in combination with its successor, Kerberos.
NTLM is vulnerable to a “pass-the-hash” attack in which an attacker obtains the login credentials for a computer and can use the mathematical representation of those credentials — called a hash — to access other services or computers.
It’s one of the most popular kinds of attacks since a computer that may not be valuable for the data it stores on its own could enable access to a more sensitive system. U.S.-based retailer Target fell victim to this kind of lateral movement that led to a data breach after hackers gained access to its network via a supplier.
The pass-the-hash attack is a long-known weakness around single sign-on systems (SSO) since the hash must store somewhere on a system for some amount of time. Other operating systems that accommodate SSO also end up affected by the threat.
Disabling SSO would solve the problem, but it would also mean that users on a network would have to repeatedly enter their password in order to access other systems, which is inconvenient.
Aorato found an attacker can grab an NTLM hash using publicly available penetration testing tools such as WCE or Mimikatz. It built a proof-of-concept tool that shows how attackers can then change a user’s password to an arbitrary one and access other services such as RDP (remote desktop protocol) or the Outlook web application.
Although some enterprises try to limit the use of the NTLM protocol in favor of Kerberos, an attacker can force a client to authenticate to Active Directory using a weaker encryption protocol, RC4-HMAC, that uses the NTLM hash. That NTLM hash then ends up accepted by Kerberos, which issues a fresh authentication ticket.
Microsoft implemented Kerberos in order to move away from some of NTLM’s security issues, but Kerberos works with RC4-HMAC to allow for compatibility with older systems.
In May, Microsoft released a patch that contained improvements to make it harder to steal NTLM hashes. The company has also suggested that organizations use smart cards or disable Kerberos RC4-HMAC support on all domain controllers, but it is possible that could break some functionality.