Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Researchers find way to steal Windows Active Directory credentials from the Internet

Lucian Constantin | Aug. 10, 2015
An attack using the SMB file sharing protocol that has been believed to work only within local area networks for over a decade can also be executed over the Internet, two researchers showed at the Black Hat security conference.

An attack using the SMB file sharing protocol that has been believed to work only within local area networks for over a decade can also be executed over the Internet, two researchers showed at the Black Hat security conference.

The attack, called an SMB relay, causes a Windows computer that's part of an Active Directory domain to leak the user's credentials to an attacker when visiting a Web page, reading an email in Outlook or opening a video in Windows Media Player.

Those credentials can then be used by the attacker to authenticate as the user on any Windows servers where the user has an account, including those hosted in the cloud.

In an Active Directory network, Windows computers automatically send their credentials when they want to access different types of services like remote file shares, Microsoft Exchange email servers or SharePoint enterprise collaboration tools. This is done using the NTLM version 2 (NTLMv2) authentication protocol and the credentials that get sent are the computer and user name in plain text and a cryptographic hash derived from the user's password.

In 2001 security researchers devised an attack called SMB relay where attackers can position themselves between a Windows computer and a server to intercept credentials and then relay them back to the server in order to authenticate as the user.

It was believed that this attack worked only inside local networks. In fact, Internet Explorer has a user authentication option that is set by default to "automatic logon only in Intranet zone."

However, security researchers Jonathan Brossard and Hormazd Billimoria found that this option is ignored and the browser can be tricked to silently send the user's Active Directory credentials -- the username and password hash -- to a remote SMB server on the Internet controlled by the attackers.

They tracked the issue down to a Windows system DLL file that is used not just by Internet Explorer, but by many applications that can access URLs, including Microsoft Outlook, Windows Media Player, as well as third-party programs.

When an URL is queried by these applications, the DLL checks for the authentication setting in registry, but then ignores it, the researchers said in their presentation at the conference in Las Vegas.

This is true for all supported versions of Windows and Internet Explorer, making it the first remote attack for the newly released Windows 10 and Microsoft Edge browser, Brossard said.

"We're aware of this matter and are looking into this further," a Microsoft representative said Thursday via email.

Once attackers have the user's credentials, there are several ways in which they can be used, according to Brossard.

In one scenario, they could use an SMB relay attack to authenticate as the victim on servers hosted outside of the user's local network by using a feature known as NTLM over HTTP that was introduced to accommodate network expansions into cloud environments. In this way they could obtain a remote shell on the server which could then be used to install malware or execute other exploits.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.