Kerberos, NTLM and SAM: 3 Ways Attackers Can Crack Passwords
In a previous blog, we discussed the prevalence of weak passwords in the Enterprise. The fact of the matter is, once an attacker gains access to password challenges and exfiltrates them for offline cracking, they can crack them in most cases.
So, the big question is: How does an attacker get their hands on password challenges for cracking?
Let me demonstrate three common techniques an attacker uses to get password challenges: Kerberos tickets, NTLM challenges, and (SAM) account databases.
Kerberos is justifiably considered a more secure protocol than NTLM. The main reason is that when two network entities authenticate they don’t send password challenges to each other. However, there are two common scenarios where (questionable) network configurations allow for password cracking:
- Cracking Ticket Granting Server (TGS) to a service account (Kerberoasting)
In this attack, an attacker requests a TGS to a service. As it turns out, in many cases, the TGS is signed with the credentials for the service account running the service. The attacker can then take the generated TGS and send it for offline password cracking (using this code for example).
This attack is very appealing for several reasons:
- No special permissions are needed to run this attack. Any authenticated user is able to create any TGS they desire.
- The service principal names (SPN) for these TGSs can be scanned for and detected automatically without previous knowledge on the network.
- In many cases, the service accounts behind these services have elevated privileges. For more details about this attack check out Sean Metcalf’s great blog on the subject.
- Cracking Ticket Granting Tickets (TGT)
Here an attacker can take advantage of two attack vectors.
TGT with no pre-auth
This is a somewhat less well-known attack vector. In the past, any user could issue a TGT with any user principal under the assumption that only the real user would be able to use the generated ticket as it was generated with their master key (derived from the user’s password).
It was later discovered that this means that an attacker with network access could create password challenges in the form of TGTs and crack them. To combat this, Kerberos V5 introduced pre-authentication. Our research here at Preempt revealed that in many networks pre-authentication is sometimes turned-off for certain users to enable testing and automation.
When an attacker is able to see the communication between workstations and domain controllers, he can sniff the TGT requests and crack them. When a workstation is located physically in the network, the ability to sniff Kerberos traffic probably means the network was already severely compromised. But, another interesting scenario is what happens when a user connects his workstation from an insecure network (e.g. WiFi). In this case, if the attacker has access to the network’s traffic they will be able to crack a user’s password. This is one of the reasons that Preempt alerts and raises the risk score of privileged accounts using unsecured networks (e.g. WiFi, VPN).
As I mentioned in a previous blog post about NTLM, one of the major risks with NTLM is the fact that it enables offline password cracking. Basically, this means that every time a user authenticates with NTLM, they expose their password to offline cracking. An attacker can take advantage of this in two main ways:
- Wait for challenges
After an attacker gets a foothold in the network and assumes control over several endpoints, they can simply wait for users to authenticate and expose their credentials. As it turns out, in many organizations, there are privileged users that perform scheduled tasks on all endpoints (e.g. AV management) and their credentials are easily exposed in this manner.
- Induce challenges
Attackers can create malicious emails or internet pages (typically with an IMG tag) that induces users to send out an NTLM challenge. This challenge can either be redirected or simply just cracked.
Security Accounts Manager (SAM) databases
When an attacker takes control over an endpoint, they can dump all password hashes from the local (SAM) account database. This is especially easy as local NTLM hashes contain no salt. This makes offline cracking especially easy. A common attack vector in this scenario is to simply dump all password hashes from the domain controller.
Now, I know what you are thinking, if the attacker has access to the domain controller, does he even needs passwords any more?! The answer is a resounding yes. Plain-text passwords are always important. One reason, it that even post-breach, many users will not change their already breached password exposing the organization to years of lacking security.
Since more than half of all breaches are exploiting credentials, understanding all of the gaps that an attacker might be able to take advantage of to crack user passwords is critical. Having this knowledge can help you better close the gaps and tighten up areas of vulnerability.
To learn more about the overall password health in your organization, try out Preempt’s FREE Preempt Lite to run an Enterprise Password Health Assessment report.
Posted by Yaron Zinar on March 23, 2017 9:25 AM