Researchers find way to steal Windows Active Directory credentials from the Internet

The technique could enable attackers to attack Windows servers hosted in the cloud

Big Data

Big Data

An attack using the SMB file sharing protocol that has been believed to work only within local area networks for over a decade can also be executed over the Internet, two researchers showed at the Black Hat security conference.

The attack, called an SMB relay, causes a Windows computer that's part of an Active Directory domain to leak the user's credentials to an attacker when visiting a Web page, reading an email in Outlook or opening a video in Windows Media Player.

Those credentials can then be used by the attacker to authenticate as the user on any Windows servers where the user has an account, including those hosted in the cloud.

In an Active Directory network, Windows computers automatically send their credentials when they want to access different types of services like remote file shares, Microsoft Exchange email servers or SharePoint enterprise collaboration tools. This is done using the NTLM version 2 (NTLMv2) authentication protocol and the credentials that get sent are the computer and user name in plain text and a cryptographic hash derived from the user's password.

In 2001 security researchers devised an attack called SMB relay where attackers can position themselves between a Windows computer and a server to intercept credentials and then relay them back to the server in order to authenticate as the user.

It was believed that this attack worked only inside local networks. In fact, Internet Explorer has a user authentication option that is set by default to "automatic logon only in Intranet zone."

However, security researchers Jonathan Brossard and Hormazd Billimoria found that this option is ignored and the browser can be tricked to silently send the user's Active Directory credentials -- the username and password hash -- to a remote SMB server on the Internet controlled by the attackers.

They tracked the issue down to a Windows system DLL file that is used not just by Internet Explorer, but by many applications that can access URLs, including Microsoft Outlook, Windows Media Player, as well as third-party programs.

When an URL is queried by these applications, the DLL checks for the authentication setting in registry, but then ignores it, the researchers said in their presentation at the conference in Las Vegas.

This is true for all supported versions of Windows and Internet Explorer, making it the first remote attack for the newly released Windows 10 and Microsoft Edge browser, Brossard said.

"We're aware of this matter and are looking into this further," a Microsoft representative said Thursday via email.

Once attackers have the user's credentials, there are several ways in which they can be used, according to Brossard.

In one scenario, they could use an SMB relay attack to authenticate as the victim on servers hosted outside of the user's local network by using a feature known as NTLM over HTTP that was introduced to accommodate network expansions into cloud environments. In this way they could obtain a remote shell on the server which could then be used to install malware or execute other exploits.

If the remote server is an Exchange one, the attackers could download the user's entire mailbox.

Another scenario involves cracking the hash and then using it to access a Remote Desktop Protocol server. This can be done using specialized hardware rigs or services that combine the power of multiple GPUs.

A password that has eight characters or less can be cracked in around two days. Cracking an entire list of stolen hashes would take the same amount of time, because all possible character combinations are tried as part of the process, he said.

Stealing Windows credentials over the Internet could also be useful for attackers who are already inside a local network, but don't have administrator privileges. They could then send an email message to the administrator that would leak his credentials when viewed in Outlook. Attackers could then use the stolen hash to execute SMB relay attacks against servers on the local network.

There are several methods to limit such attacks, but some of them have significant drawbacks.

Enabling an SMB feature called packet signing would prevent relay attacks, but not the credential leaking itself or attacks that rely on cracking the hash, Brossard said. This feature also adds a significant performance impact.

Another feature that could help is called Extended Protection for Windows Authentication, but it is hard to configure, which is why it's not usually enabled on corporate networks, the researcher said.

Microsoft recommends using a firewall to block SMB packets from leaving the local network. This would prevent credential leaks, but is not very practical in the age of employee mobility and cloud computing, according to Brossard. The researcher feels that a host-based filtering solution would be more appropriate.

The firewall integrated into Windows can be used to block SMB packets on ports 137, 138, 139 and 445 from going out on the Internet, but still allow them on the local network so it doesn't break file sharing, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionMicrosoftsecurityblack hatAccess control and authenticationExploits / vulnerabilities

More about EnablingMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place