BoWeaver.com Why are you here?

UNIX Time Is..... 1713615565
20240420 12:19:25 PM UTC
























Native America

Fighting Terrorism Since 1492



NTLM Spoofing
It's Child's Play.

You've been pwned!

Yes I have just cracked your Windows password in 3.4 seconds.



NTLM and is a part of NBNS (NetBios Name Service) was designed with small office networks in mind where all the computers are friendly, of the same operating system, and the network is closed off from the rest of the world. A real LAN (Local Area Network) and not connected to a public network. On a network like this NTLM is not an issue and actually works quite well.

NTLM comes from the days of NT4 since Windows 2000 Active Directory has been used for authentication in a Windows Domain. A Windows Domain uses what Microsoft calls Active Directory which a combination of open protocols, Kerbous5 for encryption, LDAP for directory services and DNS for domain lookups. These three protocols are TCP or TCP/UDP protocols and use point to point communications between the client and the server service. NTLM uses ARP broadcasts which send the login information to all the client on the network.

From Wikipedia: https://en.wikipedia.org/wiki/NTLM

NTLM is still used in the following situations:

  • The client is authenticating to a server using an IP address
  • The client is authenticating to a server that belongs to a different Active Directory forest that has
  • a legacy NTLM trust instead of a transitive inter-forest trust
  • The client is authenticating to a server that doesn't belong to a domain
  • No Active Directory domain exists (commonly referred to as "workgroup" or "peer-to-peer")
  • Where a firewall would otherwise restrict the ports required by Kerberos (typically TCP 88)

    • When a user goes to connect to a service using a computer name Windows looks at the following to resolve the name to IP address.

    1. local hosts file – C:\Windows\System32\drivers\etc\hosts
    2. DNS
    3. NBNS

    One would ask how does a name lookup get past DNS to do a lookup? Well by design. Windows may use DNS for lookups in a domain but the system still likes to use the shorten version of the machine name to their NetBios name so instead of using DNS the machine will send an ARP broadcast over the network. The domain controller by default will still accept this for login. So instead of my machine logging in as say //ATL-BOWEAVER.corp.companyname.net it logs in as //ATL-BOWEAVER. Along in these broadcast packets is my machine name my IP address my user name and my password that anyone passively listening on the network with a packet sniffer such as Wireshark and easily capture.

    Basically NTLM is screaming your user name a password over the cube walls. AD/DNS is a quiet conversation between two people.

    Here is a great article on exactly how easily it is done. There's no since in re-inventing the wheel and these people did a great job of laying this all out. So I'll use their site as the example.
    http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
    Please give it a good read.

    From the site. Cracking the hash:

    statistics
    -------------------------------------------------------
    plaintext found: 1 of 1 (100.00%)
    total disk access time: 0.36 s
    total cryptanalysis time: 3.40 s
    total chain walk step: 2876401
    total false alarm: 840
    total chain walk step due to false alarm: 825144
    result
    -------------------------------------------------------

    4f717259791a8a3d MYPASSW hex:4d595041535357

    Yes! 3.4 seconds to crack the hash!

    Run that through one more step and you get:

    Isolating accounts which have only had their LM response cracked.
    Account MYDOM\\tim LM response added to cracking list.
    ...
    Loaded 1 password hash (LM C/R DES [netlm]) MYPASSWORD1 (MYDOM\\tim)
    guesses: 1 time: 0:00:00:26 c/s: 515198 trying: MYPASSWORD1

    and for NTLMv2 one more step:

    Performing NTLM case-sensitive crack for account: MYDOM\tim.
    guesses: 1 time: 0:00:00:00 100.00% (ETA: Thu Mar 31 12:57:51 2011) trying: MyPassword1
    Loaded 1 password hash (NTLMv1 C/R MD4 DES [netntlm]) MyPassword1 (MYDOM\tim) c/s: 3352

    You will note he cracks this hashed password in 3.4 seconds. The NTLMv2 does take a second step to crack but still takes no time to crack. The tools to do this are readily available on the Internet for free.

    According to Microsoft the work around listed is to set up “failed login attempts” to disable the account. The problem with this is with this exploit you as you can see you already have the password when you attempt to login so you login with the first try.


    Active Directory and DNS Name Lookups

    Active Directory is designed to be a secure centrally manage service directory. As mentioned earlier Active Directory is actually three different services working together using secure communications between the client and the services. Being combined in this way Active Directory provides not only user login but also provides Machine Name lookups for not only machines on the internal network but also from the public networks.

    When your machine boots up on the network it talks to a DHCP server to get an IP address along with that address it gets the network information needed to communicate to where it is supposed to part of this information is the DNS servers to resolve machine names to addresses. On a Windows Domain this address will be the Active Directory servers normally which also handle DNS. So when your machine needs to look up and address it makes a point to point call to the AD and doesn't broadcast its information over the whole network. Login information is handled through an encrypted tunnel using Kerbous5 for encryption. Kerbous doesn't use a hash or hash/salt combination, it uses a private key and a random salt to hash a public key. This key changes every 15 minutes of so. This means a captured key must be cracked and used before the 15 minutes is up. After 15 minutes the key you captured isn't any good.

    Fixing the Problem

    Before disabling NBNS and NTLM some issues need to be resolved and the Internal DNS structure tested. It has been noticed by this Engineer looking at scan reports and asset lists that machines are known and listed by only their NetBios name. In a lot of these reports there is a column for the FQDN but nothing is listed there. There always something listed under the NetBios Name column. This must change.

    DNS Name Resolution

    DNS name resolution standards are set in RFC 1591. A true FQDN (Fully Qualified Domain Name) must meet this structure. A lot of DNS structures within Fiserv do not meet this standard. We have domains ending with a TLD (Top Level Domain) such as .local .corp and .galaxy. These are not FQDNs they are not “Qualified” to the standard. Also reverse lookups of IP addresses must be maintained.

    Application Audit Tool

    Here are some tools and also how to restrict NTLM.

    Audit tool and how to:
    This is a really good article on how to audit applications and how to restrict NTLM access.
    http://blogs.technet.com/b/askds/archive/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7.aspx You can use this to find out what other servers and clients if any are using NTLM to communicate to the server.
    You may need to also modify any machines that talk to this server.

    NTLM Authentication on IIS

    How to disable NTLM on IIS:

    For Windows 2003 Server:

    First try to disable Integrated Windows Authentication on the web server.
    From:
    https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1aa70bfa-add5-4f61-9c7b-a095c1bd4306.mspx?mfr=true

    This explains how to turn it on. Do the reverse.

    Procedures:
    To configure Integrated Windows authentication 1.In IIS Manager, double-click the local computer; right-click the Web Sites folder, an individual Web site folder, a virtual directory, or a file; and then click Properties.
    Note
    Configuration settings made at the Web Sites level are inherited by all of the Web sites on the server. You can override inheritance by configuring the individual site or site element.

    1. Click the Directory Security or File Security tab, and then, in the Authentication and access control section, click Edit.
    2. In the Authenticated access section, select the Windows Integrated Authentication check box.
    3. Click OK twice.

    More info:
    https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true

    For Windows 2008 Server:
    See:
    http://technet.microsoft.com/en-us/library/jj865668%28v=ws.10%29.aspx
    See sections:
    "Restricting incoming NTLM traffic to a remote server" and "Configure the network security policy Restrict NTLM: Incoming NTLM traffic".

    Disabling NTLM on any Windows Server 2003 to 2008R2

    Disabling NTLM on any Windows Server 2003 to 2008R2
    Below are the links of how to set the registry settings to restrict NTLM and use DNS only for name lookups. This is an addition to the registry. Also there is a link on how to disable NetBios on the interface.
    UseDnsOnlyForNameResolutions regesitiry setting
    See for details:
    http://technet.microsoft.com/en-us/library/cc780885%28v=ws.10%29.aspx

    NetBios Interface Options
    See for details:
    http://technet.microsoft.com/en-us/library/cc776524%28v=ws.10%29.aspx