Exploiting Windows Authentication Protocols: Introduction
SMB relay attack
Exploiting the weak Windows authentication protocols is on the top of the list for any adversary, because it mostly relies on a design flaw in the protocol itself, moreover, it is easy and could allow the adversary to get access to remote systems with almost no alert from most systems such as an IPS, AV, etc.
In this series of articles, I would like to go through the details of some authentication attacks such as SMB relay attack, pass the hash, pass the token, LM/NTLM cracking and others. In this article, I will start with SMB relay attack, it is one of the most common and powerful technique to get access to a fully patched and secure system.
SMB Relay attack takes advantage of a weakness in the authentication protocol (NTLM) to perform a man in the middle between two systems, which allow the adversary to get administrative access to its target. To fully understand the details of SMB relay attack and other attacks in the coming articles, I would like to start with an introduction to some common terms and concepts, such as SMB protocol, hashes and different types of password hashes in Windows and finally Windows authentication protocols NT/NTLM
So, what is SMB?
The Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows is known as Microsoft SMB Protocol. SMB lets you share files, disks, directories, printers, and others. Before Windows 2000, SMB used to run with NetBIOS over TCP/IP port 139. Therefore a NetBIOS session was required to establish SMB connection
Starting from Windows 2000 and higher, SMB can run over TCP/IP using port 445 without the need to run over NetBIOS sessions. Since SMB provides several features such as manipulating files, shares, messaging, IPC and more, it is one of the most attractive services for hackers during enumeration and exploitation phases.
Samba in the other hand, is the UNIX implementation of SMB. Samba is used to provide clients with the ability to access UNIX directories and files via the SMB protocol, the exact same way if they were talking to a Windows server. Samba now runs on multiple platforms and is an essential part of most Linux distributions.
What about Password Hash?!
Password Hash is an encrypted text string generated by a special 1-way encryption function using the clear text password string, for example, MD5, which is easy to perform, but very difficult to reverse. Most systems convert password into a hash format to protect and hide the original password
I will describe a general workflow for the most common use of password hashes which is account registration on a website or a system:
First-time user registration
- The user creates an account by providing username, password, and other information
- The password is hashed and stored in the database using SHA1 or other hashing algorithms.
- When the user tries to log in, the provided password is converted into a hash using the same hashing algorithms, and it is checked against the hash of the real password stored in the database.
- If the hashes match, the user is granted access. Otherwise, access will be denied
You can try using different hashing algorithms using this online tool
LM, NTLM, and Kerberos in a nutshell
Before I go deeper into the difference between LM and NTLM. Let’s understand the history in a nutshell. The very first authentication protocol scheme was LM (LAN Manager) with LM hash, which turned out to be very simple and easy to crack. As a result, it was replaced by NTLMv1/ NTLMv2 with NT hash then and finally the famous Kerberos at the end
LM or LANMAN hash!
LM or LANMAN is the original way Windows stored passwords, it is the easiest hash in history to crack and here is how it is being generated:
- The password is converted to uppercase.
- The password must be exactly 14 characters, either by padding with NULL bytes (‘