Most of us already know the basic principle of authentication, which, in its simplest form, helps us to identify and verify a user, process, or account. In an Active Directory environment, this is commonly done through the use of an NTLM hash. When a user wants to access a network resource, such as a file share, their password is hashed and sent over a cryptographically secure channel to the resource.

During the authentication process, this is typically used as the method to verify the identity of the user. These hashes can be as good as gold from an attacker's perspective, especially when they can be obtained "on-demand" through coercion. Authentication coercion is when an attacker is able to force a machine to initiate an authentication attempt back to their "attacker" machine.

Many times, this response comes in the form of an NTLM hash, as noted previously. PKF O'Connor Davies' penetration testing team regularly leverages stolen NTLM hashes during client penetration tests to move laterally and escalate privileges. The remainder of this article will provide a technical deep dive into these tactics, techniques, and procedures used by penetration testers and attackers, as well as the mitigations an organization can implement to prevent this type of abuse.

How NTLM Hashes Are Used

Once a hash is stolen, an attacker can use a group of available tools to discover a hash collision, which will reveal the plaintext credentials. Alternatively, the NTLM hashes can sometimes be used in relay attacks. Commonly known as a "Pass the Hash" attack, this occurs when an attacker receives an authentication request in the form of an NTLM hash and forwards it to a resource of their choice. The attacker is then able to authenticate as the targeted user by using the relayed hash. This gets especially dangerous when administrative credentials are relayed. Fortunately, these hashes are typically quite hard to obtain if the attacker is not already inside the network.

Internally, the highest risk of hash disclosure is through the use of Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Server (NBNS) protocols. While these are considered outdated and "legacy" protocols, they are commonly overlooked and are still present in many Windows environments because they are enabled by default. These come into play when a machine can't resolve a host to which it is attempting to authenticate. After checking the internal host list and querying DNS, it will fall back and send out a LLMNR or NBNS request to the entire subnet looking for the host. Attackers will use tools like Responder or Inveigh to listen to these requests and then spoof responses saying, "it's me, I'm the machine you're looking for!". This results in the hash being sent as part of the authentication request directly to the attacker's machine.

LLMNR poisoning flow. Step 1: the victim sends a DNS query to the DNS server. Step 2: the DNS server returns a failure. Step 3: the victim broadcasts an LLMNR query to the subnet. Step 4: the attacker sends a spoofed response claiming to be the requested host. Step 5: the victim discloses its NTLM hash to the attacker.
After DNS resolution fails, the victim falls back to a broadcast LLMNR/NBNS query that the attacker answers — coercing the NTLM hash straight to the attacker's machine.

This process often relies on sheer luck. The attacker usually has to wait for machines on the network to generate these requests so responses can be spoofed and hashes can be obtained. But in certain cases, it is possible to force a system to attempt authentication, rather than simply waiting around for a vulnerable request.

Authentication Coercion Basics

One of the most common methods of forcing authentication within the security community is known as PetitPotam. The principle of this attack utilizes the Encrypting File System Remote Procedure Call (MS-EFSRPC) to coerce a Domain Controller into disclosing NTLM hashes to the attacker. The MS-EFSRPC protocol is used to allow users remote access to data stored on a network. By sending a specific SMB request to a Domain Controller's MS-EFSRPC interface, the authentication process is initiated, which then leads to disclosure of the Domain Controller's machine account hash. This machine account hash can then be relayed to other services on the network, such as the Certificate Enrollment service, to obtain administrative privileges over the entire domain.

Another recent example of an authentication coercion vulnerability is DFSCoerce. Similar to the PetitPotam attack, it instead uses the MS-DFSNM protocol which enables remote administration for the Windows Distributed File System (DFS). Again, remote procedure calls are used as the method of initiating the attack, resulting in the forced disclosure of an NTLM hash over the network. These are not the only examples of authentication coercion vulnerabilities affecting Windows environments, and this is an active area of information security research.

Authentication Coercion in MSSQL

One of the most overlooked methods of authentication coercion utilizes misconfigurations in Microsoft SQL Servers. While not a new method for attackers and is not a vulnerability in the software itself, it relies on the misconfiguration of two stored procedures present by default in MSSQL. This is an example of malicious actors "living off the land," and abusing misconfigurations in a given system, rather than relying on any specific technical vulnerability. This technique is regularly identified and exploited during penetration tests as a mechanism for lateral movement and privilege escalation.

When configuring an MSSQL server, the administrator must choose an account for the server to run as. Many times, this is a domain-joined service account, or a local administrator account. Usually, these accounts have elevated privileges to run the processes needed by the SQL server. This makes these accounts especially juicy in the eyes of an attacker. The technique outlined below will allow an attacker to obtain the password hash of the account running the database server.

The xp_dirtree and xp_fileexists stored procedures allow database administrators and developers to generate a list of all files in a chosen directory and verify the existence of a specific file in a directory, respectively. MSSQL servers are commonly misconfigured with these stored procedures being executable by the PUBLIC role, allowing any authenticated account to make calls to the procedure. The only prerequisite to call these procedures is that access to the SQL database is required. An attacker would either need an account on the database server or need to have identified an SQL injection point in an application supported by the MSSQL server. Calling either procedure is fairly straightforward and requires only a few parameters. For the xp_dirtree procedure, the directory and the depth must be specified. The xp_fileexists procedure call only requires a filename, which then returns whether the file exists or not.

The interesting thing about both procedures is that they are not restricted to the local machine or current working directory — they can be used to connect to external file shares. It is possible for an authenticated attacker to force the SQL server to attempt to connect to any machine, even over the internet.

Knowing this, a Metasploit module can be used to abuse this feature: by directing the server to authenticate to an attacker-controlled machine, the NTLM hash of the account running the SQL server is captured. Similarly, this technique can be exploited via SQL injection in a vulnerable application that is supported by a misconfigured SQL server.

Potential Risks

Once obtained, there are a few things which can be done with the machine's NTLM hash. The first is that an attacker can take the compromised NTLM hash and attempt to crack it offline with a utility, such as Hashcat. If the account has a long and complex password, it will be very difficult to crack the password in a reasonable amount of time. Relaying the hash is the other option which an attacker may attempt to utilize. If the account is a domain account with elevated permissions, it can be used to log into other machines and move laterally across the network. Oftentimes, the SQL server service account can be relayed to other SQL servers on the internal network to obtain additional access.

Attack Avoidance

This attack chain is preventable, however, and an attacker can be stopped in their tracks by using several different methods.

Takeaway

When most of us think of a "hack," we think of some exploit in technology, or a vulnerability in software being used as the method of entry. It is important to realize that misconfigurations can be just as dangerous and are just as commonly abused as technical vulnerabilities. Outdated protocols, incorrect permissions, password reuse, lack of SMB signing, and lack of outbound traffic restrictions are great examples of misconfigurations which can lead to your network being compromised just as easily as an unpatched system.

About the author — Scott Fingar (PNPT, eCPPT) is a Senior Cybersecurity Analyst and skilled infrastructure penetration tester. His experience also includes cybersecurity gap assessments and controls testing, helping companies understand where they stand against best practices.

This article was originally published as a guest piece on Tripwire's State of Security.

← back to all articles