A vulnerability in Microsoft’s Active Directory service can be exploited by an attacker to change a targeted user’s password, Active Directory protection solutions provider Aorato reported.
Active Directory’s Single Sign On (SSO) authentication uses the NTLM and Kerberos protocols. NTLM generates a hash which is utilized as a replacement for the user’s password, while Kerberos exchanges the password for what is known as a “ticket,” an element that contains relevant authentication and authorization information.
Kerberos is newer and more secure than NTLM, but NTLM is still enabled by default for compatibility reasons.
The problem, according to the security company, is that Microsoft added support in Kerberos for an encryption algorithm called RC4-HMAC, which uses the NTLM hash as its key. Because of this, an attacker that can obtain a user’s NTLM hash, can also get a valid Kerberos ticket.
The NTLM hash is stored by default on all devices that connect to an organization’s resources. A local attacker can steal the NTLM hash from the memory of the victim’s machine with publicly available penetration testing tools such as WCE and Mimikatz, but the hash can also be obtained remotely from LAN traffic, Tal Be’ery, vice president of research at Aorato, told SecurityWeek.
Once the hash is obtained, it can be used as the RC4-HMAC key for Kerberos authentication against Kadmin, the Active Directory module that handles authentication requests for password changes. The attacker can then use the victim’s account to gain access to various enterprise services, such as Outlook Web Access and Remote Desktop Protocol.
To make matters even worse, such attacks are not logged by Windows’ internal logging systems.
“Logged events miss the vital indication of an identity theft attack. The attacker can perform this activity unbeknownst to event logs, making log-based SIEMs and Big Data Security Analytics useless against these kinds of advanced attacks,” Be’ery explained in a blog post.
Active Directory is utilized by 95% of Fortune 1000 organizations so the vulnerability has been catalogued by Aorato as “highly sensitive.” Microsoft has confirmed the researchers’ finding, but the company says it can’t address the problem because it stems from a well-known limitation in the Kerberos protocol.
“This report is about a limitation in the Kerberos Network Authentication Service (V5) standard (RFC 4120), that is well-known within the industry, whereby an attacker can authenticate as a user, or change that user’s password, if they know that user’s secret key. Possession of a user’s password-derived secret keys (RC4 and AES by default) is validated during the Kerberos password change exchange per RFC 4757,” Microsoft said. “The user’s plaintext password is never provided to the Key Distribution Center (KDC) and Active Directory (AD) domain controllers do not possess a copy of plaintext passwords for accounts by default. If the Domain Controller (DC) does not support a Kerberos encryption type then that secret key is not allowed to be used to change a password.”
Aorato has provided a list of techniques that can be used to mitigate attacks.
This isn’t the first time Aorato analyzed Active Directory authentication protocols. Back in May, the company found that disabled user accounts can remain valid for up to 10 hours after being revoked, giving attackers the opportunity to leverage them to access an organization’s network.