Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Researchers find way to steal Windows Active Directory credentials from the Internet

Lucian Constantin | Aug. 10, 2015
An attack using the SMB file sharing protocol that has been believed to work only within local area networks for over a decade can also be executed over the Internet, two researchers showed at the Black Hat security conference.

If the remote server is an Exchange one, the attackers could download the user's entire mailbox.

Another scenario involves cracking the hash and then using it to access a Remote Desktop Protocol server. This can be done using specialized hardware rigs or services that combine the power of multiple GPUs.

A password that has eight characters or less can be cracked in around two days. Cracking an entire list of stolen hashes would take the same amount of time, because all possible character combinations are tried as part of the process, he said.

Stealing Windows credentials over the Internet could also be useful for attackers who are already inside a local network, but don't have administrator privileges. They could then send an email message to the administrator that would leak his credentials when viewed in Outlook. Attackers could then use the stolen hash to execute SMB relay attacks against servers on the local network.

There are several methods to limit such attacks, but some of them have significant drawbacks.

Enabling an SMB feature called packet signing would prevent relay attacks, but not the credential leaking itself or attacks that rely on cracking the hash, Brossard said. This feature also adds a significant performance impact.

Another feature that could help is called Extended Protection for Windows Authentication, but it is hard to configure, which is why it's not usually enabled on corporate networks, the researcher said.

Microsoft recommends using a firewall to block SMB packets from leaving the local network. This would prevent credential leaks, but is not very practical in the age of employee mobility and cloud computing, according to Brossard. The researcher feels that a host-based filtering solution would be more appropriate.

The firewall integrated into Windows can be used to block SMB packets on ports 137, 138, 139 and 445 from going out on the Internet, but still allow them on the local network so it doesn't break file sharing, he said.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.