10 Things You Need to Know About Kerberos

Posted by Eran Cohen on Jun 24, 2019 9:36:00 AM

As our research team continues to find vulnerabilities in Microsoft that bypass all major NTLM protection mechanisms, we start to wonder about the successor protocol that replaced NTLM in Windows versions above Windows 2000.

Enter Kerberos. Every child who grew up playing Dungeons and Dragons learned about the mythical creature of Kerberos (also known as Cerberus in Ancient Greek mythology)  - a three headed dog who guards the gates of Hell and prevents dead souls from returning to the world of the living.  

While that memory is nostalgic, most security professionals know Kerberos as a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography.

Read More

Topics: Security Skills, NTLM, kerberos, Microsoft

How to Easily Bypass EPA to Compromise any Web Server that Supports Windows Integrated Authentication

Posted by Yaron Zinar on Jun 11, 2019 9:52:37 AM

As announced in our recent security advisory, Preempt researchers discovered how to bypass the Enhanced Protection for Authentication (EPA) mechanism to successfully launch NTLM relay attacks on any server that supports WIA (Windows Integrated Authentication) over TLS.

Read More

Topics: NTLM, Security Advisory, Microsoft

Drop the MIC - CVE-2019-1040

Posted by Marina Simakov on Jun 11, 2019 9:52:17 AM

As announced in our recent security advisory, Preempt researchers discovered how to bypass the MIC (Message Integrity Code) protection on NTLM authentication and modify any field in the NTLM message flow, including the signing requirement. This bypass allows attackers to relay authentication attempts which have negotiated signing to another server while entirely removing the signing requirement. All servers which do not enforce signing are vulnerable.

Read More

Topics: NTLM, Security Advisory, Microsoft

Your Session Key is My Session Key: How to Retrieve the Session Key for Any Authentication

Posted by Marina Simakov on Jun 11, 2019 9:51:51 AM

As announced in our recent security advisory, Preempt researchers discovered a critical vulnerability which allows attackers to retrieve the session key for any NTLM authentication and establish a signed session against any server. Any domain environment which does not entirely block NTLM traffic is vulnerable.

Read More

Topics: NTLM, Security Advisory, Microsoft

Security Advisory: Critical Vulnerabilities in NTLM Allow Remote Code Execution and Cloud Resources Compromise

Posted by Yaron Zinar on Jun 11, 2019 9:51:20 AM

On June 2019 Patch Tuesday, Microsoft released patches for CVE-2019-1040 and CVE-2019-1019, two vulnerabilities discovered by Preempt researchers. The critical vulnerabilities consist of three logical flaws in NTLM (Microsoft’s proprietary authentication protocol). Preempt researchers were able to bypass all major NTLM protection mechanisms.

Read More

Topics: NTLM, Security Advisory, Microsoft

What State-Sponsored Attacks Can Teach Us About Conditional Access

Posted by Nir Yosha on May 3, 2019 11:52:00 AM

People often think that state-sponsored attacks from groups like Lazarus (North Korea), Fancy Bear (Russia) or menuPass (China) only target public federal organizations in Western nations like the U.S. This is simply not the case. In fact, attacks on large financial and retail institutions have increasingly been state-sponsored attacks hoping to create chaos more than just theft. These attacks largely come from U.S.-sanctioned states such as Iran, Russia and North Korea, as these hacking groups have come to realize that attacking private organizations can achieve the same goals as attacking public institutions.

Read More

Topics: Privileged Accounts, Credential Compromise, NTLM, Hacking, Ransomware, Lateral Movement, Attack Tools, Conditional Access

New Microsoft Exchange Vulnerability Exposes Domain Admin Privileges: Here’s What to Do

Posted by Yaron Zinar on Feb 4, 2019 11:41:13 AM

Last week, the CERT Coordination Center (CERT/CC) issued a vulnerability note warning versions of Microsoft Exchange 2013 and newer are vulnerable to an NTLM relay attack that allows for attackers to gain domain admin privileges. Organizations that rely on Microsoft Exchange are currently at risk of a serious data breach. This attack is particularly concerning given that it obtains privileges to the domain controller, which is essentially the “keys to the kingdom.” We’ve simplified some of the specifics of this attack for the purposes of this blog, but for a full technical breakdown, please see research from Dirk-jan Mollema.

Read More

Topics: NTLM, Microsoft

The Security Risks of NTLM: Proceed with Caution

Posted by Yaron Zinar on Oct 18, 2018 10:50:00 AM

NTLM (NT LAN Manager) is Microsoft's old authentication protocol that was replaced with Kerberos starting Windows 2000. It was designed and implemented by Microsoft engineers for the purpose of authenticating accounts between Microsoft Windows machines and servers. Even though it has not been the default for Windows deployments for more than 17 years, it is still very much in use, and I have not yet seen a network where it has been completely abandoned. In fact, it also supported by the latest version of Active Directory.

Read More

Topics: Risk, Active Directory, NTLM, kerberos

New LDAP & RDP Relay Vulnerabilities in NTLM

Posted by Yaron Zinar on Jul 11, 2017 10:01:54 AM

Over the past few months, the Preempt research team discovered and reported two Microsoft NT LAN Manager (NTLM) vulnerabilities. These vulnerabilities have a common theme around two different protocols handling NTLM improperly. These issues are particularly significant as they can potentially allow an attacker to create new domain administrator accounts even when best-practice controls such as LDAP server signing and RDP restricted admin mode are enabled.

Read More

Topics: Domain Controller, NTLM, Hacking, Threat Detection, Security Advisory, Microsoft

Kerberos, NTLM and SAM: 3 Ways Attackers Can Crack Passwords

Posted by Yaron Zinar on Mar 23, 2017 9:25:12 AM

In a previous blog, we discussed the prevalence of weak passwords in the Enterprise. The fact of the matter is, once an attacker gains access to password challenges and exfiltrates them for offline cracking, they can crack them in most cases.

Read More

Topics: NTLM, kerberos, Passwords, SAM