Meeting the InCommon Assurance profile criteria using Active Directory

[Brian Arkills <>]

Here's some follow-up material on the outstanding action item I had to double-check and provide some research behind the assertion that NTLMv2 doesn't have replay attack vulnerabilities. I find that the assertion is partially true and partially false. Which means we need to determine whether there is additional follow-up in terms of mitigating configuration suggestions or alternative means.

 

http://media.blackhat.com/bh-us-10/presentations/Ochoa_Azubel/BlackHat-USA-2010-Ochoa-Azubel-NTLM-Weak-Nonce-slides.pdf (and http://www.hexale.org/advisories/OCHOA-2010-0209.txt) describes vulnerabilities in the challenge/response process for NTLMv1 and NTLMv2 when used with the SMB protocol. NTLM when used w/o NTLMSSP/extended security has a replay vulnerability because the randomly generated challenge seed is not truly random.

 

http://blogs.technet.com/b/srd/archive/2009/04/14/ntlm-credential-reflection-updates-for-http-clients.aspx?Redirected=true talks a bit about a patch that address the same kind of attack using NTLMv1/v2 via the HTTP protocol, and how Microsoft is generally aware of this style of attack and is actively working to address it.

 

At the abstract level, these describe this vulnerability as a passive/eavesdropper collection of prior challenges (involving the specific client involved) that can lead to the ability to perform a successful replay attack and establishment of a session on that client. This is pretty similar to the Kerberos stuff below in that it is a combination of attack profiles (passive + active) and only results in a compromised session (in this case on the client computer).

 

However ... it appears that the discussion in the above sources is arbitrarily limited, and you can in fact leverage this vulnerability in combination with a "pass the hash" style attack to "relay" credentials to any other network resource that user is permitted to. Sources that discuss this are:

 

http://www.h-online.com/security/news/item/Authentication-under-Windows-A-smouldering-security-problem-1059422.html which talks about the same NTLMv1/v2 vulnerability across many protocols and scenarios.

 

http://www.tarasco.org/security/smbrelay/index.html which implements a relay exploit tool to demonstrate protocol transition. As noted in the "Update" section, this tool was partially limited by MS08-068 (which they likely pre-empted by releasing their tool), but you can still use the session establishment in combination with pass the hash.

 

So ... is NTLMv2 resistant to replay attacks? Kind of hard to say yes or no without a really qualified answer. Yes, it has some replay attack resistance, but that resistance falls over when combined with other attacks.

 

 

From: [mailto:] On Behalf Of Brian Arkills
Sent: Friday, April 12, 2013 3:19 PM
To: ''
Subject: [AD-Assurance] RE: 4.2.5.1 update

 

Here's some material for the Kerberos follow-up.

 

http://www.blackhat.com/presentations/bh-europe-09/Bouillon/BlackHat-Europe-09-Bouillon-Taming-the-Beast-Kerberous-whitepaper.pdf discusses the various security issues known for Kerberos as of 2009. The techniques discussed there include "KDC spoofing" which requires that the Kerberos enabled service doesn't do the full exchange it should do, a replay attack which uses a sniffed AP exchange in a later TGS attack against the Kerberos enabled service involved in that AP exchange, and a "pass the ticket" attack which combines the two in a Windows environment to get a TGS. There is also some discussion of user impersonation attacks to get a TGT, but it's pretty clear that the Windows implementation is safe from this, although given elevated access on a single domain-joined computer, it is possible to steal & re-use a "computer's" principal and use it to enumerate domain resources.

 

http://csis.bits-pilani.ac.in/faculty/sundarb/courses/old/spr06/netsec/evals/project/projrefs/kerb/AIWSC03_kerberos_replay_attacks.pdf was the other Kerberos attack paper I had previously dug up. It discusses the very same replay attack discussed in the blackhat paper above, except in a more understandable form, and in more detail.

 

So these attacks can result in a TGS, but not a TGT. Put together in the "pass the ticket" attack, they constitute a man-in-the-middle profile. There are replay elements, but the replay elements by themselves can't result in a TGT. Likewise, there are eavesdropper elements, but those can't result in a TGT either. I don't see any issue worth noting as a gap here for the context of 4.2.5.1 or 4.2.5.2, except for one very specific scenario: AD is the IdP, and the TGS which is attacked involves the IdP token issuing service.

 

I'm certain that RFC4120 (FAST or Kerberos armoring)--as implemented in WS2012 DCs--would mitigate that very specific scenario. There may be other mitigations or it's possible that with a closer analysis this scenario isn't actually vulnerable.

 

In the interest of sending this today before the weekend, I'm not evaluating whether that risk is negligible before sending this email. :)

 

In summary, I think we can claim Kerberos is resistant in both 4.2.5.1 & 4.2.5.2, but there is still that very specific scenario that needs a bit more thought/examination.

 

From: Brian Arkills
Sent: Friday, April 12, 2013 8:58 AM
To:
Subject: 4.2.5.1 update

 

I've updated the gaps cell for 4.2.5.1. NTLMv2 was changed to remove the word "well" and Kerberos was changed to "Resists replay attack".

 

http://www.sans.org/reading_room/whitepapers/testing/crack-pass-hash_33219 is a pretty well-researched reference for hash passing attacks and replay attacks against Windows. Some possible alternative means could be culled from it for the NTLMv2 gap. The most notable/effective mitigation would be the "Restrict NTLM" setting which allows turning off NTLMv2. http://technet.microsoft.com/en-us/library/dd560653(v=ws.10).aspx introduces this topic, with http://technet.microsoft.com/en-us/library/jj865668(v=ws.10).aspx discussing the options first supported by Windows 7 & Windows Server 2008R2. It seems reasonable that you could require that level for DCs, but I might be off base.

 

I'm still running down some details on the Kerberos front around whether my change should be more nuanced.

 

-B