Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Active Directory Vulnerability Puts Enterprise Services at Risk

A vulnerability in Microsoft’s Active Directory service can be exploited by an attacker to change a targeted user’s password, Active Directory protection solutions provider Aorato reported.

A vulnerability in Microsoft’s Active Directory service can be exploited by an attacker to change a targeted user’s password, Active Directory protection solutions provider Aorato reported.

 Active Directory’s Single Sign On (SSO) authentication uses the NTLM and Kerberos protocols. NTLM generates a hash which is utilized as a replacement for the user’s password, while Kerberos exchanges the password for what is known as a “ticket,” an element that contains relevant authentication and authorization information.

Kerberos is newer and more secure than NTLM, but NTLM is still enabled by default for compatibility reasons.

The problem, according to the security company, is that Microsoft added support in Kerberos for an encryption algorithm called RC4-HMAC, which uses the NTLM hash as its key. Because of this, an attacker that can obtain a user’s NTLM hash, can also get a valid Kerberos ticket.

The NTLM hash is stored by default on all devices that connect to an organization’s resources. A local attacker can steal the NTLM hash from the memory of the victim’s machine with publicly available penetration testing tools such as WCE and Mimikatz, but the hash can also be obtained remotely from LAN traffic, Tal Be’ery, vice president of research at Aorato, told SecurityWeek.

Once the hash is obtained, it can be used as the RC4-HMAC key for Kerberos authentication against Kadmin, the Active Directory module that handles authentication requests for password changes. The attacker can then use the victim’s account to gain access to various enterprise services, such as Outlook Web Access and Remote Desktop Protocol.

To make matters even worse, such attacks are not logged by Windows’ internal logging systems.

“Logged events miss the vital indication of an identity theft attack. The attacker can perform this activity unbeknownst to event logs, making log-based SIEMs and Big Data Security Analytics useless against these kinds of advanced attacks,” Be’ery explained in a blog post.

Active Directory is utilized by 95% of Fortune 1000 organizations so the vulnerability has been catalogued by Aorato as “highly sensitive.” Microsoft has confirmed the researchers’ finding, but the company says it can’t address the problem because it stems from a well-known limitation in the Kerberos protocol.

“This report is about a limitation in the Kerberos Network Authentication Service (V5) standard (RFC 4120), that is well-known within the industry, whereby an attacker can authenticate as a user, or change that user’s password, if they know that user’s secret key. Possession of a user’s password-derived secret keys (RC4 and AES by default) is validated during the Kerberos password change exchange per RFC 4757,” Microsoft said. “The user’s plaintext password is never provided to the Key Distribution Center (KDC) and Active Directory (AD) domain controllers do not possess a copy of plaintext passwords for accounts by default. If the Domain Controller (DC) does not support a Kerberos encryption type then that secret key is not allowed to be used to change a password.”

Aorato has provided a list of techniques that can be used to mitigate attacks.

This isn’t the first time Aorato analyzed Active Directory authentication protocols. Back in May, the company found that disabled user accounts can remain valid for up to 10 hours after being revoked, giving attackers the opportunity to leverage them to access an organization’s network.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.