As announced in our recent security advisory, Preempt researchers discovered how to bypass the Enhanced Protection for Authentication (EPA) mechanism to successfully launch NTLM relay attacks on any server that supports WIA (Windows Integrated Authentication) over TLS.
This attack technique could be used by attackers to attack critical servers such as:
- Exchange (OWA) - Perform NTLM relay to mail server and steal user emails
- Active Directory Federation Services (AD-FS) - Perform NTLM relay to HTTPS sessions and impersonate users on cloud resources.
- Active Directory - Perform NTLM relay to LDAPS and configure directory with malicious settings.
The vulnerability can be exploited on all Windows versions. Preempt has not identified any mitigating factors.
EPA - Background
NTLM relay is one of the most prevalent attacks on Active Directory environments. There are two mitigation techniques offered by Microsoft to thwart NTLM relay attacks - one is server signing which is used mainly in SMB and DCE/RPC, and the second is channel binding which is also known as EPA. EPA is a mechanism which ensures that all packets sent over a TLS channel are sent by a party that knows the client’s secret (in the NTLM case, the NT hash). This is achieved through binding the Windows authentication process with the TLS session by requiring the client to sign a derivative of the server’s certificate using the GSSAPI security. In NTLM, this is achieved by adding a specific channel binding AV pair in the NTLM_AUTHENTICATE message. Since the entire AV pairs structure is signed in the NTProofStr, an attacker cannot modify it without knowing the user’s NT hash.
Figure 1 - The NTLM_AUTHENTICATE message with channel binding
In a separate discovery, Preempt researchers have found a way to remove the Message Integrity Code (MIC) from the NTLM authentication. With the MIC missing, attackers can tamper with the NTLMSSP_CHALLENGE message. How can this be used to their advantage?
The NTLMSSP_CHALLENGE message contains a TargetInfo field and NTLM clients usually echo all AV pairs in the TargetInfo and include these in the AV pairs in the NTLMSSP_AUTHENTICATE message. This means that any attacker (that can modify NTLM messages) can send a malicious NTLM_CHALLENGE with a channel binding of their choice to attack any server that is protected with EPA.
Figure 2 - The malicious NTLM_CHALLENGE message with channel binding element
We believe that this is a serious attack vector because EPA is practically the only line of defense guarding critical servers such as AD-FS or OWA. In many organizations, it is very likely that an attacker with a small footprint in the network could make users authenticate via NTLM and relay their credentials. In fact, since AD-FS and OWA are often open to the internet, in some cases, an attacker could compromise these servers with no infected machines just by sending a malicious email (e.g., the attack depicted here)
Figure 3 - NTLM_AUTHENTICATE message with our implanted channel binding
It is important to understand that patching is not enough. In order to fully protect your servers from these type of NTLM relay attacks, you need to first enforce channel binding on all your servers. This task might be proven to be difficult since this needs to be done on every server (there is no group policy governing this feature). In addition, this vulnerability could be used to launch LDAPS relay attacks against domain controllers, similar to the ones discovered by Preempt in 2017. To prevent LDAPS relay attacks, channel binding must be enforced on all domain controllers.
How Preempt can Help
Preempt constantly works to protect its customers. Customers who have deployed Preempt have been consistently protected from NTLM relay attacks. The Preempt Platform provides full network NTLM visibility, allowing you to reduce NTLM traffic and analyze suspicious NTLM activity. In addition, Preempt has innovative industry-first deterministic NTLM relay detection capabilities and has the ability to inspect all GPO configurations and will alert on insecure configurations.For non-Preempt customers, this configuration inspection is also available in Preempt Lite, a free lightweight version of the Preempt Platform. You can download Preempt Lite here and verify which areas of your network are vulnerable.