Introduction

The ATT&CK framework is a product of MITRE, one of the federally funded research and development centers (FFRDCs) designed to support the U.S. government in general and the Department of Defense (DoD) in particular. MITRE’s duties include performing research and development and trusted third-party assessments and evaluations for the U.S. government.

The ATT&CK framework is a tool designed by MITRE to aid discussion and education connected to cybersecurity topics. The ATT&CK framework breaks the life cycle of a cyberattack into its component stages and describes the various means that each stage could be accomplished by an attacker. These descriptions include affected systems and ways to detect and mitigate the particular tactic.

The ATT&CK framework has a variety of different applications. It helps with discussion of cybersecurity topics by standardizing language and understanding of certain attack vectors. It can also be applied to the design of cyber defenses and penetration testing by providing a framework to which efforts can be mapped.


What is forced authentication?

One of the stages in the cyberattack life cycle described in the MITRE ATT&CK framework is credential access. This stage covers all of the various ways that an attacker can steal user credentials. These credentials can then be used to gain initial access to a system or elevate an attacker’s privileges on a compromised system.

One of the tactics within the credential access stage of an attack is forced authentication. This tactic describes the exploitation of the Server Message Block (SMB) protocol on Windows machines to send user credentials to an attacker-controlled machine.

The SMB protocol is designed to authenticate with remote systems. This is useful for file sharing, and Windows’ integrated automatic authentication means that this can be performed transparently to the user. When trying to access a resource on a remote server, SMB will first try with no credentials; if it is unsuccessful, it will then send the NTLM network authentication challenge response.

This integrated authentication is useful when dealing with a legitimate remote server; however, it can also be exploited. If an attacker can force an SMB connection to a remote server, they will be sent a copy of the user’s NTLM network authorization challenge response.

From this information, the attacker can then calculate the user’s NTLM password hash, which can then be cracked to reveal the user’s password. Since Hashcat can brute-force an eight-character NTLM password (the default minimum length) in under 2.5 hours, this represents a significant security risk.

Examples of forced authentication

In order for an attacker to get a copy of a user’s NTLM password, they need to force an SMB connection to a remote server. However, this can be very simple to do.

Until April 2018, Microsoft Outlook contained a bug that would allow an attacker to force an SMB connection if a user even previewed a malicious email. If a user received a Rich Text Format (RTF) email containing an OLE object hosted on a remote server, then the email program would try to load the OLE object in the email preview. Accomplishing this would require connecting to the remote server, and the remote server could require authentication, which would cause the user’s machine to send their authentication information as well. The attacker could then crack the user’s password and use it to gain access to their machine.

After the vulnerability was discovered and reported, Microsoft put out a patch for this vulnerability. However, any action that can result in an SMB connection being performed to a remote system could result in leaking a user’s authentication information.

Detection and mitigation

Exploitation of this vulnerability requires SMB or WebDAV traffic (an HTTP-based SMB backup) to go to a system under the attacker’s control. Assuming that the attacker does not already have a foothold on the organization’s network, this requires this traffic to cross the network perimeter. An organization can detect this occurring by looking for and block traffic on TCP ports 139, 445 and UDP port 137. If an organization has a legitimate need for SMB traffic to exit the network, it should implement IP whitelisting to limit connections to approved external systems.

This type of attack can also be prevented by looking for file formats that can contain pointers to remote resources (.SCF, .LNK, etc.). By monitoring for these files and inspecting them for links to remote resources, an organization can ensure that a computer does not send authentication information to attacker-controlled systems.

Finally, the goal of this attack is to give an attacker access to password hashes that can be cracked to reveal user passwords. However, the difficulty and feasibility of password-cracking depends upon the complexity of the user’s passwords. If an organization can implement and enforce a strong password policy, then it may be impossible for an attacker to crack user passwords even if they gain access to password hashes.

Conclusion: Protecting against forced authentication

Forced authentication is a little-known vector for stealing a user’s login credentials. By taking advantage of Windows’ willingness to send user account credentials to a remote server, an attacker can gain access to password hashes for cracking.

Since this attack requires the attacker to use SMB or WebDAV, it is relatively easy for an organization to detect and block by filtering these traffic types at the network border. Other defensive measures can include scanning for types of files that can be used to force a link to a remote server and encouraging strong passwords for users that are harder for an attacker to crack even if the attack is successful.

 

Sources

  1. Forced Authentication, MITRE
  2. I can get and crack your password hashes from email, CSO
  3. Use an 8-char Windows NTLM password? Don’t. Every single one can be cracked in under 2.5hrs, The Register
  4. Vulnerability in Outlook let hackers to steal password hashes, Information Security Newspaper