A vendor has publically disclosed an Active Directory security flaw that puts a twist on typical "pass the hash" attacks, potentially leaving the numerous enterprises that rely on Microsoft's market-dominating
According to details provided in a blog post by Aorato, an Israel-based Active Directory security vendor, the proof-of-concept attack is the result of Active Directory's single sign-on authentication mishandling of two of its underlying protocols: NT LAN Manager (NTLM), the older default authentication protocol in Windows that is still available to all users by default, and Kerberos, the preferred authentication protocol that has been in place since the release of Windows 2000.
Pass the hash is a long-known NTLM-based attack technique. An alternative to more time-consuming methods like password guessing or cracking, attackers have long made use of it to gain unauthorized access to victims' machines.
Aorato's proof-of-concept attack relies on typical pass the hash measures, with an attacker first needing to run a penetration testing tool -- like Mimikatz or Windows Credential Editor -- to steal an NTLM hash.
Once computed, an NTLM hash essentially functions as a replacement for a user's passwords, whereas the newer Kerberos protocol works by exchanging a password for a ticket. Kerberos relies on the weak RC4 encryption algorithm though, and according to Aorato -- as well as Microsoft's own documentation -- RC4 is able to use an NTLM as its key.
Whereas a stolen NTLM hash could typically only be used by attackers to log on to a victim's machine and others on a network with the same permissions, Tal Be'ery, vice president of research for Aorato, said attackers could use this new method to downgrade the authentication level of Kerberos, enabling them to masquerade as the user to Active Directory with the NTLM hash.
An attacker could then change the victim's password, said Be'ery, and consequently access any enterprise services that utilize Active Directory -- all without setting off any alarms, as such activity would not appear abnormal in a company's logs.
Be'ery conceded that users would be unable to use their original credentials once an attacker had changed them, thus leaving only a certain window of opportunity to take advantage of the access, but that window may be more than enough to do significant damage to an organization.
"A vulnerability in this infrastructure is highly sensitive," Be'ery said. "[NTLM hash theft] is already implemented in many attackers' tools. Therefore, it would be very easy for attackers to implement this new variant."
AD pass the hash flaw disputed
Though Aorato touted its research as a new discovery, a Microsoft spokesperson disputed those claims, noting that the flaw -- referred to as a "limitation" -- is well-known with the security industry.
In a press statement, Microsoft provided information on methods to block attackers from changing passwords in such a fashion, including deploying smart cards, disabling Kerberos RC4 support for all domain controllers, or placing Windows Server 2012 R2 domains and users into a new protected-users security group -- a move that Be'ery said would certainly clamp down on security, but with the tradeoff that users might not be able to log on to all their usual systems.
Sander Berkouwer, Microsoft technology lead with Netherlands-based OGD ict-diensten and a Microsoft MVP, described Aorato's finding as "clever," but questioned whether the research revealed information the security industry had never seen before.
For instance, Berkouwer said NTLM security issues, including the usual pass the hash technique at the core of Aorato's proof of concept, have been an accepted reality for many years, which is why organizations have slowly been trying to eliminate the aged protocol from their environments -- though he noted Kerberos has faced similar problems.
Microsoft has also long been aware of attempts by attackers to force clients to utilize weaker authentication protocols, according to Berkouwer, and in fact, the Redmond, Washington-based software giant has taken steps to address those problems, though not to the benefit of all users.
"It is something that has been solved by Microsoft in operating systems that are not particularly favorable with organizations," namely Windows 8, Berkouwer said. "The problem is, you need to upgrade everything: The client needs to be at least Windows 8, and your domain controller [upgraded] to Windows Server 2012."
Be'ery said he understands why Microsoft responded in a defensive manner.
If the company were to admit that Aorato's findings constituted a legitimate vulnerability, he noted, it would be forced into fixing a difficult problem that goes as deep as the core of the Kerberos protocol's design.
Be'ery said the official designation of the flaw does not matter as long as Microsoft recognizes the problem and provides a fix. Microsoft chose not to do that when Aorato privately disclosed the issue to the company though, according to Be'ery, which is why the security vendor chose to go public.
"Microsoft's view is that this is in fact the consequence of the design of the Kerberos protocol," said Be'ery, "but we're thinking that it doesn't matter if it's an implementation error or by-design error."
Be'ery said the company is ready to accept the criticism it may receive from some who believe the disclosure will ultimately do more harm than good.
"Should we disclose something that might help attackers? The dilemma is a valid one," Be'ery added. "If a vendor is prepared to fix it, you don't publish anything before they fix it, but if they don't fix it, you are helping the bad guys and not the good guys."