When testing Windows environments, we regularly see the encrypted password of a user with high privileges being sent across the network. In combination with systems where SMB signing is disabled, an attacker or malicious person can, by performing an NTLM relay attack, increase the privileges within the network. Depending on the network environment an attacker may be able to increase privileges to the highest level.
Windows uses many different protocols for authentication. One of those protocols is Net-NTLM. This protocol is used to authenticate users over the network. There are two versions: Net-NTLMv1 and Net-NTLMv2. Both versions compute a so-called Net-NTLM hash by processing a user’s encrypted password into a random string consisting of eight bytes. Net-NTLMv1 is obviously less secure than version 2 and has been disabled by default since Windows Vista and Windows Server 2008.
Using the tool Responder, we can intercept authentication requests sent across the network. An example is shown below:
An attacker can try to do two things with this hash:
The NTLM relay attack exploits the Net-NTLM protocol. An attacker intercepts a legitimate authentication request, alters the contents, and forwards the request to a computer that does not enforce SMB signing. This authenticates the attacker on the target system using the context of the user that sent the original authentication request. In the worst case, the attacker can use this to perform remote code execution on the system. An attacker could also use this attack to access network shares that the attacker would not normally have access to.
To perform the NTLM relay attack, three tools are used: NetExec, Responder, and ntlmrelayx. Since an NTLM relay attack only works on systems which have SMB signing disabled, a list of systems on which SMB signing is disabled is required. This list can be generated using NetExec with the following command:
netexec smb 192.168.126.0/24 --gen-relay-list targets.txt
This checks the address range for machines that have SMB enabled and SMB signing disabled. The IP addresses that match are written to the file.
Next, we use the tools Responder and ntlmrelayx utilities. Responder is responsible for capturing the Net-NTLM hash and forwarding it to ntlmrelayx, which then authenticates itself on the specified host(s) via SMB with the hash it has received. To accomplish this, the SMB and HTTP server must be disabled in Responder’s configuration. This can be done by opening the configuration file and changing the values behind SMB and HTTP to ‘Off’. The configuration file should look like this:
Next, Responder must be started on the active network interface, in this case eth0. This can be done by running the following command:
responder -I eth0 -d -w
Finally, we use the ntlmrelayx utility to extract the contents of the SAM database from the target systems. To do this, we start ntlmrelayx with the following command:
python3 ntlmrelayx.py -tf targets.txt
Once ntlmrelayx receives a Net-NTLM hash from Responder, it tries to authenticate to the systems in the file. If authentication is successful, ntlmrelayx then attempts to extract the contents of the SAM database. To do this, the user whose hash has been captured must have local administration rights on the target system. In addition to extracting the SAM database, it is also possible to execute other system commands.
The image below shows a successful NTLM relay, where the user had local administrator rights on the target system and thus the contents of the SAM database could be extracted.
An attacker would now be in possession of the encrypted password of the local administrator. This gives the attacker local administrator rights on this system. This allows the attacker to extract the encrypted passwords of users who have or recently had a session, from memory. In the event that this includes a domain administrator, an attacker can increase privileges to Domain Admin and thus take over the entire domain.
We regularly observe that the password for the local Administrator user is reused on multiple computers. This means that an attacker can use the same password to log on to multiple computers as a local administrator. This broadens the attack vector and increases the likelihood that the attacker can increase their privileges.
Systems are susceptible to an NTLM relay attack because the recipient does not verify the content and origin of the message. The most effective way to remedy this vulnerability is to enable enterprise-wide SMB signing.
SMB signing is a security mechanism in the SMB protocol. When enabled, each SMB message is sent with a signature in the SMB header field. The signature consists of the contents of the SMB message, encrypted with the AES algorithm. This allows the recipient of the SMB message to verify that the content of the message has not been changed. It also verifies the identity of the sender. If the content of the message does not match the SMB header, the recipient knows that the message has been tampered with. The recipient then drops the message. This makes it impossible to successfully perform the NTLM relay attack.
SMB signing can be enabled by setting the contents of the EnableSecuritySignature and RequireSecuritySignature registry values to 1. This must be applied to both the LanManServer and the LanManWorkstation. This can be done in two ways: via a system command or via the graphical application ‘Local Group Policy Editor’ (gpedit.msc).
1. Command line
Run these commands to update registry values:
reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters /v EnableSecuritySignature /t REG_DWORD /d 1reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters /v RequireSecuritySignature /t REG_DWORD /d 1reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters /v EnableSecuritySignature /t REG_DWORD /d 1reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters /v RequireSecuritySignature /t REG_DWORD /d 1Restart the system to apply changes.
2. Group policy editor
Navigate to Computer Configuration > Windows Settings > Local Policies > Security Options
Enable the following policies:
-- Microsoft network client: Digitally sign communication (always)
-- Microsoft network client: Digitally sign communication (if server agrees)
-- Microsoft network server: Digitally sign communication (always)
-- Microsoft network server: Digitally sign communication (if client agrees)
-- Restart the system to apply changes.
3. Linux Systems:
Edit Samba configuration file to include:
client signing = mandatoryserver signing = mandatory
To protect your network from NTLM relay attacks, enabling SMB signing is crucial. It ensures the integrity and authenticity of SMB messages, thereby mitigating a significant security vulnerability. Implementing SMB signing across your network can safeguard against potential attackers escalating their privileges and taking over your network.
-- https://learn.microsoft.com/en-US/troubleshoot/windows-server/networking/overview-server-message-block-signing" target="_blank">Overview of Server Message Block Signing
-- https://github.com/lgandx/Responder
-- https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py
-- https://github.com/Pennyw0rth/NetExec
Are you prepared to defend your organisation against cyber threats? Securance offers robust cybersecurity services to safeguard your digital assets. Our experts can perform comprehensive security assessments, implement cutting-edge security measures, and provide continuous monitoring to protect your network from potential attacks. Contact us today to enhance your cybersecurity posture and secure your organisation’s future.
Securance, a leader in integrated risk management and cybersecurity
The Windows operating system by default includes an administrat
As financial institutions increasingly rely on digital systems, the