Researchers find way to steal Windows Active Directory credentials from the Internet

The technique could enable attackers to attack Windows servers hosted in the cloud

Big Data

Big Data

An attack using the SMB file sharing protocol that has been believed to work only within local area networks for over a decade can also be executed over the Internet, two researchers showed at the Black Hat security conference.

The attack, called an SMB relay, causes a Windows computer that's part of an Active Directory domain to leak the user's credentials to an attacker when visiting a Web page, reading an email in Outlook or opening a video in Windows Media Player.

Those credentials can then be used by the attacker to authenticate as the user on any Windows servers where the user has an account, including those hosted in the cloud.

In an Active Directory network, Windows computers automatically send their credentials when they want to access different types of services like remote file shares, Microsoft Exchange email servers or SharePoint enterprise collaboration tools. This is done using the NTLM version 2 (NTLMv2) authentication protocol and the credentials that get sent are the computer and user name in plain text and a cryptographic hash derived from the user's password.

In 2001 security researchers devised an attack called SMB relay where attackers can position themselves between a Windows computer and a server to intercept credentials and then relay them back to the server in order to authenticate as the user.

It was believed that this attack worked only inside local networks. In fact, Internet Explorer has a user authentication option that is set by default to "automatic logon only in Intranet zone."

However, security researchers Jonathan Brossard and Hormazd Billimoria found that this option is ignored and the browser can be tricked to silently send the user's Active Directory credentials -- the username and password hash -- to a remote SMB server on the Internet controlled by the attackers.

They tracked the issue down to a Windows system DLL file that is used not just by Internet Explorer, but by many applications that can access URLs, including Microsoft Outlook, Windows Media Player, as well as third-party programs.

When an URL is queried by these applications, the DLL checks for the authentication setting in registry, but then ignores it, the researchers said in their presentation at the conference in Las Vegas.

This is true for all supported versions of Windows and Internet Explorer, making it the first remote attack for the newly released Windows 10 and Microsoft Edge browser, Brossard said.

"We're aware of this matter and are looking into this further," a Microsoft representative said Thursday via email.

Once attackers have the user's credentials, there are several ways in which they can be used, according to Brossard.

In one scenario, they could use an SMB relay attack to authenticate as the victim on servers hosted outside of the user's local network by using a feature known as NTLM over HTTP that was introduced to accommodate network expansions into cloud environments. In this way they could obtain a remote shell on the server which could then be used to install malware or execute other exploits.

If the remote server is an Exchange one, the attackers could download the user's entire mailbox.

Another scenario involves cracking the hash and then using it to access a Remote Desktop Protocol server. This can be done using specialized hardware rigs or services that combine the power of multiple GPUs.

A password that has eight characters or less can be cracked in around two days. Cracking an entire list of stolen hashes would take the same amount of time, because all possible character combinations are tried as part of the process, he said.

Stealing Windows credentials over the Internet could also be useful for attackers who are already inside a local network, but don't have administrator privileges. They could then send an email message to the administrator that would leak his credentials when viewed in Outlook. Attackers could then use the stolen hash to execute SMB relay attacks against servers on the local network.

There are several methods to limit such attacks, but some of them have significant drawbacks.

Enabling an SMB feature called packet signing would prevent relay attacks, but not the credential leaking itself or attacks that rely on cracking the hash, Brossard said. This feature also adds a significant performance impact.

Another feature that could help is called Extended Protection for Windows Authentication, but it is hard to configure, which is why it's not usually enabled on corporate networks, the researcher said.

Microsoft recommends using a firewall to block SMB packets from leaving the local network. This would prevent credential leaks, but is not very practical in the age of employee mobility and cloud computing, according to Brossard. The researcher feels that a host-based filtering solution would be more appropriate.

The firewall integrated into Windows can be used to block SMB packets on ports 137, 138, 139 and 445 from going out on the Internet, but still allow them on the local network so it doesn't break file sharing, he said.

Join the Computerworld New Zealand newsletter!

Error: Please check your email address.

Tags intrusionMicrosoftsecurityblack hatAccess control and authenticationExploits / vulnerabilities

More about EnablingMicrosoft

Show Comments