Protecting Against Legacy Protocol Abuse
The cyber security consequences of technical debt
“Our job is to make everyone’s worst nightmare come true.”
– Tim McGuffin, Lares Consulting
Tim McGuffin and I go way back. Tim is the Senior Red Team manager with Lares Consulting. A self-described “hacker in the old school sense of the word,” Tim takes protocols and systems apart, figures out how they work, and then bends them to his will.
Speaking to a room of C-level professionals at the Houston Cyber Summit last week, I teamed up with this “old school hacker” to demonstrate an attack that can affect everyone’s network – legacy protocol abuse in the Windows environment.
The history lesson
Active Directory (AD) has been around since Y2K. Widely integrated into the enterprise, companies across every industry leverage AD today. However, not many organizations routinely rebuilt their domains as they upgraded AD functionality. As a result, we're seeing a lot of old gear managing very critical systems; Windows New Technology (NT) and NT LAN Manager – known as NTLM – is 24-years-old, and it’s built on DES encryption which is 42-years-old this year.
True, these are features in Windows that can be used to ensure backward compatibility. Often implemented to prolong the use of older software while reducing impact on the user, this approach leaves AD vulnerable to compromise – but it works!
The problem with this line of reasoning is that it creates technical debt in the environment – a collection of neglected legacy applications in need of configuration, maintenance, and upkeep. This technical debt leads to open back doors for attackers to exploit. The common expression you hear when bringing this up with operational departments in companies is “If it ain’t broke – don’t fix it.”
For our Houston demonstration scenario, we chose to demonstrate a Server 2008 installation. Up to and including 2008, Microsoft allowed the print spooler service to be enabled by default. (Check out Tim’s GitHub page for detailed information on the tooling execution of this attack.) Not many people print from their domain controllers anymore as a print server, but prior to and including 2008 that was an included feature.
Using that piece of information, we demonstrated a privilege escalation compromise as follows:
- Steal standard user password via phishing. This is using the “assume breach” model where we assume that a user will be compromised by password spraying, credential stuffing, malware via e-mail or “drive-by download,” or related methods.
- Use those credentials to capture an internal authentication. Tools such as responder.py and Inveigh make capturing internal authentication incredibly simple to run and are difficult to detect and alert. Instead of looking for user password hashes to crack, we’re using this step to get a copy of the encrypted secret key that is created whenever a domain is first created. This encrypted secret key is used to authenticate any INTL conversation in the network.
- Crack the secret key used for that domain’s account. Since we control the challenge being sent from the previous step, we know two out of three items (user password and hashed key value) needed to forge a Kerberos ticket request to an AD member server or domain controller. Instead of using raw computation to crack the key, we can use a precomputed rainbow tables for all possible NTLMv1 secret key values that lets us just do a database lookup for the secret key.
- Use that cracked key to create a Kerberos ticket for Domain Administrator. Once we have that secret key value, we can create Kerberos tickets for any user in the domain. Domain Administrator is an obvious choice but depending on your threat model the attacker may choose to go after the CEO, other C-level executives, HR, or Payroll administrators.
For those who couldn’t make it to the demo, Tim recorded a demo video prior to the conference to ward off the dreaded demo gremlins.
In less than twenty minutes the attacker can become anyone in the domain. They can access your SharePoint, your file stores, your databases, your HR information, any application on your domain to authenticate against Windows, which in most cases is as many applications as you can. They can digitally impersonate any user, posing as the CEO, the CFO, chief legal associate, HR management, anybody.
“Less than 20 minutes to total domain compromise.”
– Tim McGuffin, Lares Consulting
With Domain Administrator privilege the adversary can:
- Spoof the CEO. The first thing a hacker does when it gets into your network with the intention of impersonating your users, is to create exchange mail rules that will delete any copy of sent items that the attacker sends. And in some cases, the adversary even creates a falsified email trail in their mailbox, so that when somebody does come in as a detective control afterwards, all they see are missing emails or falsified emails.
- Impersonate a trusted domain controller. Using secretsdump, another tool out of the Impacket suite, adversaries can initiate trusted communications with the domain controller. “Hey, I'm actually another domain controller on the network. What you need to do is give me the authority to synchronize all the user information that you have – user account passwords, encryption keys, and all your data.” Password hashes for the administrator accounts can then be passed directly for several applications. This includes your data protection API (DPAPI) keys. This is how Windows actually encrypts data for individual users. Access to this means intruders can recover Credential Manager, VPN connections, and saved credentials for applications. And that means the attacker can impersonate users across different applications like Facebook, Twitter, LinkedIn and others.
- Exploit eDiscovery requirements. Most companies have a legal hold procedure for sensitive data to be isolated and available on the exchange server. From an attacker's standpoint, eDiscovery portals make a great target because you can use them to do keyword searches across every mailbox in the environment and render a pretty nice report. So as soon as an attacker has a foothold, they can search for keywords, like “passwords,” pull a report, and start carving through mailboxes.
- Leverage golden tickets for persistence in domains. Once you have this, you can re-enter the domain at any time in the future and re-gain your Administrator privileges. It’s the type of foothold that allows hackers to take their time to observe your company’s operations and process cadence before they use that Administrator access for the most impact.
McGuffin’s conclusion was crisp and concise. He predicts attacks like this will likely increase over the next three to six months and if it hasn't been adopted by nation-states yet, it will be shortly because of the computing power involved. Be scared. Secure your networks.
“I want them to understand the real risks and actually secure their networks.”
– Tim McGuffin, Lares Consulting
Here's the reality
Cyber attacks happen every day, multiple times a day. This is nothing new. And as a result, we have taken the approach of a “assume breach.” You know there's going to be an infection. You know there's going to be a successful bypass of security controls. Phishing, social engineering, things like watering hole attacks where service companies or companies of a specific genre are attacked and compromised because they service another, possibly more lucrative, target.
100% prevention is not possible. It's an ideal goal, we should all strive towards that, but understand you cannot prevent 100% of attacks. Assume that the attackers will get in. Our goal is to make it more difficult for them to pivot, to move within the environment, and increase their access. “Detection and response” is the name of the game. We want to reduce the amount of time they have access.
How do we do that?
Here’s what you can do
No questions, there are a lot of tools that can detect the components of this type of attack method. Many assessment tools detect NTLMV1 in use and detect that a print spooler service is installed and enabled on the domain controller. But would you know to look for it?
“You don’t know what you don’t know. An experienced cyber specialist can offer insights on the hacker’s perspective of your network.”
– Aaron Bayles, Revolutionary Security
Having the understanding to anticipate this scenario and the experience to foresee how seemingly disparate components can be utilized to create this attack is crucial. There's a behavioral component that require experience beyond detection tools. From a consultant perspective, I would say that's why you need to have an assessment performed, not just from a tool, but from experienced personnel with a background in operations.
Is technical debt leaving you open to cyber attacks? Talk to one of our cyber security experts to discuss things your organization should look out for.
About the Author
Aaron is a Principal Security Consultant and the OT Testing and Assessment Services Lead at Revolutionary Security. Aaron is responsible for developing, leading, and executing OT projects that include physical walk-downs, passive and active vulnerability assessments, and penetration testing. Prior to joining Revolutionary Security, Aaron worked for over 22 years within the oil & gas, financial, government, energy, and education industries focused on information and cyber security in both IT and OT. He has performed assessments and testing against building automation, commercial spaceflight support, remote scientific, manufacturing floor, and oil & gas production environments. Aaron regularly participates and speaks at security conferences around the United States, including DEF CON, DerbyCon, HouSecCon, and LockDown.