From Public Key to Exploitation: How We Exploited the Authentication in MS-RDP

Posted by Eyal Karni on Mar 13, 2018 10:05:15 AM

 In March Patch Tuesday, Microsoft released a patch for CVE-2018-0886, a critical vulnerability that was discovered by Preempt. This vulnerability can be classified as a logical remote code execution (RCE) vulnerability. It resembles a classic relay attack, but with a nice twist: It is related to RSA cryptography (and prime numbers) which makes it quite unique and interesting.

Read More

Topics: Multi-factor Authentication, kerberos, Hacking, Black Hat, Security Advisory, Microsoft, RDP

Security Advisory: Critical Vulnerability in CredSSP Allows Remote Code Execution on Servers Through MS-RDP (Video)

Posted by Yaron Zinar on Mar 13, 2018 10:03:36 AM

In March Patch Tuesday, Microsoft released a patch for CVE-2018-0886, a vulnerability discovered by Preempt researchers. The vulnerability consists of a logical flaw in Credential Security Support Provider protocol (CredSSP) which is used by RDP (Remote Desktop Protocol) and Windows Remote Management (WinRM) that takes care of securely forwarding credentials to target servers. The vulnerability can be exploited by attackers by employing a man-in-the-middle attack to achieve the ability to run code remotely on previously not infected machines in the attacked network. The vulnerability, in many real-world scenarios where victim network has vulnerable network equipment, could result in an attacker gaining the ability to move laterally in the victim’s network and even infect domain controller with malicious software. No attacks have been detected in the wild by Preempt.

Read More

Topics: kerberos, Hacking, Threat Detection, Security Advisory, Microsoft, CredSSP

Kerberos, NTLM and SAM: 3 Ways Attackers Can Crack Passwords

Posted by Yaron Zinar on Mar 23, 2017 9:25:12 AM

In a previous blog, we discussed the prevalence of weak passwords in the Enterprise. The fact of the matter is, once an attacker gains access to password challenges and exfiltrates them for offline cracking, they can crack them in most cases.

Read More

Topics: NTLM, kerberos, Passwords, SAM

The Security Risks of NTLM: Proceed with Caution

Posted by Yaron Zinar on Oct 20, 2016 3:05:29 PM

NTLM (NT LAN Manager) is Microsoft's old authentication protocol that was replaced with Kerberos starting Windows 2000. It was designed and implemented by Microsoft engineers for the purpose of authenticating accounts between Microsoft Windows machines and servers. Even though it has not been the default for Windows deployments for more than 15 years, it is still very much in use and I have not yet seen a network where it has been completely abandoned. In fact it also supported by the latest version of Active Directory.

Read More

Topics: Risk, Active Directory, NTLM, kerberos

10 Facts to Help You Better Understand Kerberos 

Posted by Eran Cohen on Oct 6, 2016 12:16:30 PM

Every child that grew up playing Dungeons and Dragons learned about the mythic creature of Kerberos (also known as Cerberus in Ancient Greek mythology)  -- the three headed dog who guards the gates of Haides.  Its role is to prevent the dead souls from returning to the world of living. 

Read More

Topics: kerberos