Why Hackers Should Learn Active Directory
TCM Security
A veteran-owned cybersecurity company focused on penetration testing, security training, and compliance.
Welcome to The Cyber Mentor (TCM) Newsletter! We share practical advice and information to help beginners land an infosec role and support them as they grow into the next generation of cyber professionals. If you’re new here, click the Subscribe button above to ensure you never miss an update!
Active Directory is a powerful tool, used by nearly 95% of Fortune 1000 companies. However, it is often overlooked as an attack vector. In this article, we review a few ways that Active Directory can be exploited and ways to defend your network from these attacks.
Active Directory Vulnerability: LLMNR Poisoning
LLMNR is a protocol that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local network without requiring a DNS server or DNS configuration.
When a host’s DNS query fails (i.e., the DNS server doesn’t know the name), the host broadcasts an LLMNR request on the local network to see if any other host can answer. That introduces vulnerabilities because it has no authentication mechanism. Anyone can respond to an LLMNR request, which opens the door to potential attacks like LLMNR poisoning.
LLMNR is the successor to NetBIOS. NetBIOS (Network Basic Input/Output System) is an older protocol that was heavily used in early versions of Windows networking.?
NBT-NS is a component of NetBIOS over TCP/IP (NBT) and is responsible for name registration and resolution. Like LLMNR, NBT-NS is a fallback protocol when DNS resolution fails. It allows local name resolution within a LAN.
LLMNR poisoning attacks allow a malicious actor to listen for LLMNR requests and respond with their own IP address (or another IP of their choosing) to redirect the traffic. This can lead to credential theft and relay attacks. Once an attacker has access to the victim’s password hash, it’s only a matter of time before they are inside your network.
To learn more about how to infiltrate Active Directory utilizing LLMNR poisoning, visit our blog.
Protect Active Directory: Disable LLMNR and NBT-NS
The primary way to prevent LLMNR poisoning is by disabling LLMNR and NBT-NS. To disable LLMNR, select “Turn OFF Multicast Name Resolution” under Computer Configuration > Administrative Templates > Network > DNS Client in the Group Policy Editor.
If a company cannot disable LLMNR/NBT-NS for some reason, the best course of action is to:
Understanding protocols like LLMNR and NBT-NS is paramount to protecting your systems. While these protocols were designed to simplify name resolution on local networks, their inherent vulnerabilities can inadvertently create gateways for attackers. The lack of authentication in both LLMNR and NBT-NS responses leaves networks susceptible to spoofing and man-in-the-middle attacks.?
Active Directory Vulnerability: SMB Relay Attacks
Server Message Block (SMB) works as a network file sharing protocol. It empowers computer applications to read, write to files, and request server programs’ services in a network. Widely adopted in Windows environments, SMB provides shared access to resources like files and printers.?
However, when paired with NTLM (NT LAN Manager) authentication and left unsecured, it becomes a prime target for relay attacks. In essence, attackers manipulate the protocol’s inherent trust in network users.
领英推荐
The core vulnerability of SMB to relay attacks stems from its authentication mechanism, especially when using NTLM. When a user seeks access to a shared resource, SMB initiates a connection and authenticates the user. Attackers can seize this authentication attempt, relaying it to a different server to impersonate the user. The lack of SMB’s validation (via SMB signing) of the authentication request’s origin or destination allows attackers to exploit it for unauthorized access.
Requirements for a successful SMB relay attack:
Visit our blog to see how an SMB relay attack is executed.
Defend Active Directory: Enable SMB Signing on All Devices
Enabling SMB signing on all devices completely stops SMB relay attacks.?
To enforce SMB signing, enable the following policies in Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options:
On the client side:
On the server side:
Enabling SMB signing can cause performance issues with file copies and legacy devices using SMBv1. If a company cannot enforce SMB signing on all devices, the best course of action is to:
These actions are considered best practice and should be implemented, regardless of the decision to enforce, or not enforce, SMB signing.
Learn More About Hacking (and Defending) Active Directory
LLMNR Poisoning and SMB relay attacks are just two of the ways Active Directory is vulnerable to threat actors. If you want to learn more about Active Directory exploits, vulnerabilities, and remediation, join our one-day live training on Friday, April 26th. Spots are limited- register today!
Keep up with TCM Security by following us on LinkedIn; we host a livestream every Wednesday. If you want more information on LLMNR poisoning and SMB relay attacks, Heath Adams walked through a few examples on yesterday’s livestream.
You can also join our email list to be informed of the latest news and updates.
Cyber Security Consultant | Owner of Intricate Security | Helping secure you!
7 个月Responder and Ntlmrelayx is the first thing we spin up in our clients environment when we are testing. Can guarantee hits on it.
Credly Top Legacy Badge Earner | ISO/IEC FDIS 42001 | ISO/IEC 27001:2022 | NVIDIA | Google | IBM | Cisco Systems | Generative AI
7 个月Thank you for info.
Cybersecurity Analyst | Digital Forensics | Jr. Penetration Tester (TryHackme) | ISC2 CC | Aspiring Security Architect
7 个月Great post! LLMNR poisoning and SMB relay attacks are important concepts to understand for anyone working in IT security. Disabling LLMNR/NBT-NS and enabling SMB signing are excellent steps to take to mitigate these vulnerabilities. I look forward to learning more about Active Directory exploits from TCM Security