In July, media reported that SingHealth, Singapore’s largest health organization, was breached with 1.5 million medical records stolen. The stolen records included those of Singapore’s prime minister Lee Hsien Loong. Consequently, a special inquiry had taken place, revealing that SingHealth had several security gaps and vulnerabilities which could have easily been exploited by attackers, including a local administrator account with a very weak password (P@ssw0rd). In fact, one of the ways which enabled the attackers to move laterally in the network was by using compromised Citrix local accounts.
Do you know if your organization is at risk because of a local administrator’s weak password? To help organizations detect and prevent weak and vulnerable passwords and network configurations, we have released a new version of Preempt Inspector.
Preempt Inspector is a free tool intended to help organizations discover potential weaknesses in their Active Directory environment and reduce their attack surface. The first version of Preempt Inspector focused on detecting users having a password which can be easily compromised – either by simply using a weak password, or by using a password which has been exposed during one of the largest breaches (such as the LinkedIn breach). The second version introduced some new features, one of them being discovering Stealthy Admins in Active Directory – users accounts which can easily obtain administrative privileges but are not members of any administrative groups. By analyzing the statistics, we have found that all organizations are vulnerable to most of these issues.
New features in Preempt Inspector version 3
Version 3 of Preempt Inspector does all the above with a few additional security features. Its main goal is to reduce the risk introduced by local administrators & prevent one of the most common attacks today: NTLM Relay.
Duplicate Local Admins
It is widely known that domain users are not the only ones which can put your organization at risk. Moreover, since most of the security products focus on protecting domain accounts, there is another type of account which is left for grabs for attackers to abuse – local accounts. One of the biggest issues related to local administrators is having a local administrator account with the same password on a group of domain machines (in the worst case, that group consists of all computers in the organization). In some cases, the duplication is intentional – such an account provides an easy way for the IT team to manage all domain computers.
In other cases, it might be caused by an “innocent mistake”: when new computers are created using the same image, all the SAM database, including all the local users and password, are cloned to all those machines. To make things even worse, in most cases, an attacker can detect such instances of cloned local admin passwords without any special privileges. The security impact is simple: it is enough to compromise a single machine to compromise the entire group. So, if the assistant and the CEO of the organization share a local administrator, an attacker which is able to take over the assistant’s computer, can then gain administrative access to the CEO’s machine as well.
In this version of Preempt Inspector, we help organizations discover cloned local administrative accounts. To detect such cases of cloned passwords, Preempt Inspector connects to remote machines and queries the ‘pwdLastSet’ attribute of local accounts using the SAMR protocol. This option is enabled on all Windows machines (up to Win10 anniversary update in which the default configuration allows only local administrators to perform such queries). The ‘pwdLastSet’ attribute gives a password change timestamp in a 100 nanoseconds resolution which would always be equal in cases of cloned machines (since this attribute is cloned along with the others from the SAM database). In most private preview customers, we were able to discover a large amount of machines sharing a local administrator account.
We recommend that organizations configure a unique password for local administrators on different machines, either manually or by using LAPS, which provides a way to manage local administrator passwords on domain-joined computers.
NTLM Relay Mitigations
Another old but very effective attack technique is that of NTLM Relay. In an NTLM Relay attack, a compromised machine takes advantage of NTLM connections made to it and redirects the NTLM session to attack other, previously non-compromised, target servers. The attack is extremely powerful for several reasons: First, as long as NTLM is enabled in the network (not used, just enabled), any connection can be downgraded to NTLM. Second, most applications, by default, are not protected from NTLM Relay. For the Preempt Inspector, we’ve focused on the two riskiest and most vulnerable protocols to NTLM Relay:
LDAP Signing - An attacker that relays NTLM credentials to an LDAP connection, can perform any LDAP operation on behalf of the compromised user. If the compromised user is a domain admin, the most detrimental attack vector would be to create a new domain admin which would grant attackers full persistence over the domain environment. To have your LDAP protected against this attack you need to turn on LDAP signing in your domain. However, that alone is not enough - last year, Preempt researchers discovered CVE-2017-8563 that allows performing NTLM Relay in LDAP connections even when LDAP signing is enabled. To be fully protected from this vulnerability, a patch is required along with special registry configuration in each domain controller. Preempt Inspector scans all domain controllers and alerts on any unsafe LDAP configurations.
SMB Signing - An attacker can also relay NTLM credentials to SMB connections. By default, SMB is enabled on all Windows machines and allows a user with sufficient privileges to download files, fetch sensitive configurations and run code remotely. To be protected from SMB Relay you need to enable SMB signing on all machines in your network. For some obscure reason only domain controller have SMB signing enabled by default. Preempt Inspector scan all domain controller to verify default SMB signing setting is still enabled and samples several domain workstations to ascertain whether SMB signing is enabled on other machines.
For a more comprehensive review of NTLM refer to this blog post.
We will continue developing and adding new features to the Preempt Inspector. If you are interested in a specific feature which you would like to see incorporated into the Preempt Inspector, you can contact us at firstname.lastname@example.org.
Editor's note: Yaron Zinar contributed to this blog.