In the previous article, we introduced The Kerberos protocol in The Windows AUTHENTICATION mechanism. This time, we will focus on the local authentication in the Windows authentication mechanism -NTLM authentication

LM Hash and NTLM Hash

In Windows, you don’t save passwords in plain text, only hashes. The password hash of the local user is stored in the local SAM file, and that of the domain user is stored in the NTDS. Dit file of the domain controller. In penetration tests, the Hash of all users can usually be exported from the SAM file on the Windows system and the NtdS. dit file on the domain controller. Export to hash will often see this format: ` Administrator: 500: AAD3B435B51404EEAAD3B435B51404EE: 31 d6cfe0d16ae931b73c59d7e0c089c0: : :

AAD3B435B51404EEAAD3B435B51404EE is LM Hash, 31 d6cfe0d16ae931b73c59d7e0c089c0 is NTLM Hash.

LM Hash

LM Hash, short for LAN Manager Hash, is the earliest encryption algorithm used in Windows.

The LM Hash is computed as follows:

  • 1. The user’s password is converted to uppercase. The password is converted to a hexadecimal string.
  • 2. The hexadecimal string of the password is divided into two 7byte parts. Each part is converted to a bit stream, and the length bit is 56bits, using 0 to complement the length on the left
  • 3. Divide 7 bits into groups and add 0 to the end of each group to form a group
  • 4. The two groups obtained in the previous step are respectively regarded as “KGS! #$%” for DES encryption.
  • 5. Splice the encrypted two groups together to obtain the final LM HASH value.

NTLM Hash

To address the security weaknesses inherent in the LM Hash encryption and authentication scheme, Microsoft introduced the NTLM protocol in Windows NT 3.1 in 1993. The following are the versions of LM and NTLM support.

That is, starting with Windows Vista and Windows Server 2008, only NTLM hashes are stored by default, and LM hashes will no longer exist (hence we will not cover LM hashes later). We caught the LM Hash is AAD3B435B51404EEAAD3B435B51404EE. So we see in the Windows 7 caught the LM Hash is AAD3B435B51404EEAAD3B435B51404EE, LM Hash here has no value.

The LM Hash is computed as follows:

  • 1. Convert the user password to hexadecimal format.
  • 2. Encode the hexadecimal password in Unicode.
  • 3. Hash the Unicode encoded data using MD4 digest algorithm

#NTLM Authentication Windows NTLM authentication uses the NTLM Hash to authenticate users. It can be divided into local authentication and network authentication. NTLM network authentication can be used for both the authentication service within the domain and the workgroup environment. NTLM has three versions: NTLMv1, NTLMv2, and NTLMsession V2. Currently, NTLMv2 is the most used version.

NTLM Local authentication

When a user logs in to the local PC in Windows, the password of the user is stored in the SAM file of the local PC. The SAM file path is %SystemRoot%\system32\config\SAM. When a user enters a password for local authentication, the password is converted to an NTLM Hash and compared with the NTLM Hash in the SAM. After the user logs out, restarts, or locks the screen, the operating system displays the Winlogon. exe login page (input box). When Winlogon. exe receives the input, it hands the password to lsASS. Lsass. exe is a system process used as a security mechanism for Microsoft Windows. It is used for local security and login policies. The process stores a plaintext password and encrypts it into an NTLM Hash for SAM database authentication.

net-NTLM hash

Net-ntlm Hash is different from NTLM Hash. In the third step of NTLM authentication, after receiving the TYPE 2 message returned by the server, the client reads the content supported by the server, extracts the random value Challenge, and encrypts it with the NTLM-hash of the cached server password. Combine the Hash with the user name and Challenge to obtain the NET-NTLM Hash. Finally, encapsulate the Net NTLM Hash into a TYPE 3 Authenticate message and send it to the server. In other words, net-NTLM Hash is the Hash value for NTLM authentication in the network environment. The NTLM v1 response and the NTLM V2 response correspond to net-NTLM Hash v1 and net-NTLM Hash v2.

The format of net-nTLM Hash v1 is:

username::hostname:LM response:NTLM response:challenge

Net-ntlm Hash v2 format:

username::domain:challenge:HMAC-MD5:blob

Net-ntlm Hash cannot be used by an attacker for Hash transmission like NTLM Hash. However, an attacker can intercept net-NTLM Hash during authentication between the client and the Server in various ways and then burst the Hash in plaintext. Or directly used for NTLM relay attacks.

NTLM Network authentication

NTLM authentication in the network environment adopts a Challenge/Response authentication mechanism, which consists of three messages:

Type 1: negotiation

Type 2: Inquiry

Type 3: authentication

The following details how NTLM works in a workgroup environment.

(1) First of all, identity authentication is required if the client needs to access a certain service of the server. Therefore, the client needs to enter the user name and password of the server for authentication. In this case, the client locally caches the NTLM Hash value of the server password. The client sends the TYPE 1 Negotiate negotiation message to Negotiate information about the subject to be authenticated, the user (the user name on the server), the machine, and the security service to be used.

(2) After receiving the TYPE 1 message sent by the client, the server will read the content and select the acceptable service content, encryption level, security service, etc. It then passes in the NTLM SSP, gets a TYPE 2 Challenge message (called a Challenge Challenge message), and sends this TYPE 2 message back to the client. The TYPE 2 message contains a 16-bit random value generated by the server called Challenge, which the server also stores.

(3) After receiving the TYPE 2 message returned by the server, the client will read out the content supported by the server, take out the random value Challenge, and encrypt it with the NTLM-hash of the cached server password. Net NTLMHash is combined with the user name and Challenge to obtain Net-NTLMHash. Finally, Net NTLM-Hash is encapsulated into a TYPE 3 Authenticate message (called a Authenticate message) and sent to the server.

(4) After receiving the message of TYPE 3, the server encrypts the Challenge with the NTLM-hash of its own password, and compares the Net NTLM-Hash authentication message calculated by the server with the authentication message sent by the client. If yes, the client has the correct password and the authentication succeeds. Otherwise, the authentication fails.

NTLM authentication utilization method

Hash pass attacks PTH

A Pass The Hash attack, or PTH for short, is an attack performed by finding The password Hash associated with an account. In the TYPE 3 message authenticated by the Windows NTLM, the client calculates the Response using the USER’s NTLM Hash rather than the user’s password. Therefore, when simulating user login or authenticating the user who accesses resources, the plaintext password is not required, but the user Hash is required. Attackers can use the NTLM HASH to log in to the target host remotely or bounce shells.

In a domain environment, users generally use domain accounts to log in to computers, and many computers use the same local administrator account and password during installation. Therefore, if the local administrator account and password of a computer are the same, an attacker can use hash transmission attacks to log in to other hosts on the Intranet. Using this method, the attacker doesn’t have to spend time blowing up the Hash, which is classic for Intranet penetration. Often applicable to domain or workgroup environments.

NTLM-relay

NTLM hash is divided into NTLMv1, NTLMv2, and NTLM Session V2. The strength of NTLMv2 is much stronger than that of NTLMv1. In actual combat, if we obtain NTLMv1, we can directly blast it. In reality, we have NTLMv2, which has a much stronger password, so if you don’t have a super powerful dictionary, it’s hard to get a plaintext password. Well, if blasting doesn’t work we might as well try an NTLM Relay attack.

NTLM-reflect

In MS08-068, SMB Reflect is restricted to SMB, preventing the same host from SMB protocol to SMB protocol net-NTLmhash relay. This patch was bypassed in CVE-2019-1384(Ghost Potato). The Hash account and password of the domain user in the domain environment is saved in the NTDS. If the domain user can log in to a certain machine, you can Relay the domain user to another machine, or Relay the domain controller to a common machine, such as the machine where the domain management o&M locates. (Why not Relay SMB signatures to other domain controllers? SMB signatures are enabled on domain controllers in a domain by default.)

Get ideas for NET-NTLM Relay

Net-NTLMHash is obtained by LLMNR and NetBIOS spoofing

We can first talk about the Windows system name resolution order is:

  1. Local hosts file (%windir%\System32\drivers\etc\hosts)
  2. DNS Cache /DNS server
  3. Link-local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS)

That is, if the name is not found in the cache and the DNS name server fails to request the name, the Windows system resolves the name locally through link-local Multicast Name Resolution (LLMNR) and NET-BIOS Name Service (NBT-NS). At this point, the client broadcasts the unauthenticated UDP into the network, asking if it is the name of the local system, since the process is not authenticated, and broadcasts it throughout the network, allowing any machine on the network to respond and claim to be the target machine. Listening to LLMNR and NetBIOS broadcasts via responder when a user enters a host name that does not exist, contains an error, or is not present in DNS, the attacker can pose as the victim’s target machine and ask the victim to hand over the appropriate login credentials. The core process is similar to ARP spoofing. We can use an attacker as a middleman to intercept net-NTLMHash on the client.

Use WPAD hijack to get NET-NTLMHash

WPAD Network Proxy automatic discovery protocol is a way for clients to locate a proxy profile (PAC)URL using DCHP, DNS, LLMNR, and NBNS protocols. WPAD automatically uses the proxy to access the network by having the browser automatically discover the proxy server, find the host where the PAC file is stored, download, compile, and run the proxy configuration file.

A typical hijacking approach is to use LLMNR/NBNS spoofing to get the victim to get a PAC file from the attacker, which identifies the attacker as a proxy server. The attacker can then hijack the victim’s HTTP traffic and insert arbitrary HTML tags to get the user’s NET-NTLMHash.

When your browser is set to Auto-detect proxy Settings, it downloads the wpad.dat file prepared by the attacker so that client traffic passes through the attacker’s machine.

How to defense

Generally, the corresponding signature, such as SMB signature and LDAP signature, is enabled.

The specific demonstration is based on the ideas of the online god, such as the use of responder for poisoning operations will not be repeated, there are many online examples.

The above contents refer to the following articles and are only used for personal knowledge sorting

Reference documentation

www.anquanke.com/post/id/200…

www.freebuf.com/articles/ne…

Blog.csdn.net/qq_36119192…