Why Pass-the-Hash attacks still work? - windows

Default authentication package for windows domain authentication is Kerberos. But it is possible to perform pass-the-hash by using Windows Credentials Editor, for example (even in Windows 8). WCE works with NTLM credentials, and attack is possible despite the fact that default protocol is Kerberos. Why?
Am I wrong or client can somehow initiate NTLM authentication?

The short is that yes it is possible to initiate NTLM auth.
For MS, it is not possible to fix it completely because that would break the backward compatibility.
You can read more about it on this thread http://www.reddit.com/r/netsec/comments/1ypdo1/sorry_microsoft_pass_the_hash_on_windows_81_still/

Related

Rust (the survival game) RCON password alternative

So I have a webapp that manages my rust servers. I need to provide the rcon password in order to use rcon. But for that I need to store the password in my database.
Is there an alternative way to make a connection to rcon, like using OAuth tokens or anything that I'm not aware of? Without saving the password that is a major security issue.
Rust Servers (The game) uses a websocket server for the rcon and does not support OAuth. So NO. There is no alternative method authenticating as the password is expected as a path in the websocket connection URL.
ws://ip:port/password

Does Powershell's -UseDefaultCredentials use Kerberos?

In Azure DevOps services, when you connect an agent to the server, you have different types of ways to authenticate to the server. You can see here for example, about connecting a Linux agent, that you have these 4 types:
Alternate (Basic authentication)
PAT
Negotiate - Connect as a user other than the signed-in user via a scheme such as Kerberos or NTLM.
Integrated - Not supported in Linux
The integrated type is mentioned in the page about connecting a Windows agent as "Windows default credentials"
Bare with me please.
In my organization, we have a Active Directory domain with a Single-Sign-On, I suppose it uses Kerberos as the authentication protocol. Sometimes I use Powershell scripts to access the API of our internal Azure DevOps Server, and I use the -UseDefaultCredentials flag so the user won't have to enter username and password - it will just authenticate based on the logged-in user.
That got me thinking that the -UseDefaultCredentials flag is using Kerberos to authenticate.
But from the above, it seems that Integrated is using "Default credentials", which is something else than "Negotiate" which uses Kerberos.
Can someone help me understand this?
The UseDefaultCredentials flag tells the underlying system to try and use the caller's SSO credentials, which in most cases is the credential used to log into the system interactively or otherwise.
Strictly speaking it does not indicate which protocol to use. What it's actually saying is "dear system internals: please figure it out for me". The way this works is by selecting the negotiate protocol, which as it's name suggests negotiates the use of specific authentication protocols based on the client credentials as well as information from the server. This is called the SPNEGO protocol. It is transparent to the caller.
SPNEGO is fairly simple in nature. The client has a list of known authentication protocols (Kerberos, NTLM, etc.) and will send that list to the server saying 'pick one please'. The server can select any of them and respond telling them what to use, and the client then goes and uses it. Fin.
SPNEGO is also relatively smart because it can reasonably predict what it thinks the server will accept and will attempt to optimistically provide a token up front using the first protocol in the list. So if it thinks it needs Kerberos it'll go and get a Kerberos ticket up front and send it first. The server might think that's fine, or it might fail and return a response saying
"no, I really need NTLM", and so the client tries again with NTLM.

Issuing HTTP requests using IE proxy with AD authentication

In a corporate desktop scenario, where the user is logged in to an Active Directory domain, I'd like my application to issue HTTP requests using the same proxy as Internet Explorer uses. The problem is that the proxy requires NTLM authentication using the credentials of the currently logged in user, which is something I don't know how my application could acquire.
Besides asking the user for his/her password (for which I found a lot of solutions), is there a way to do it the right, like using some native API? I'm not picky about programming languages in this case, if it works in this scenario, I accept it, although I'd prefer C/C++.
Since you are on Windows, and you are using domain logins, you should rather rely on Kerberos. Anyway, you now several options:
If you use WinHTTP , you simple have to enable it.
Use libcurl on Windows and it will compile with SSPI support by default.
If you use sockets by yourself, you have to call SSPI with the Negotiate package and exchange tokens per HTTP all by yourself.

NTLM authentication to AD FS for non-IE browser without 'Extended Protection' switched off?

When using NTLM authentication to AD FS 2.0, from Google Chrome or Firefox 3.5+ running on Windows, then this results in a repeated sign-in dialog and finally sign-in failure, with 'Audit Failure' events with "Status: 0xc000035b".
This can be 'solved' by switching off 'Extended Protection' for the "/adfs/ls" web application in IIS. This is documented in several places; see my answer to another StackOverflow question for details.
My question is: How can one make NTLM authentication to AD FS work for these browsers without switching off 'Extended Protection'? I mean, in Internet Explorer this works fine with 'Extended Protection' on, why don't Chrome or Firefox? Or is this a Chrome/Firefox implementation bug/restriction, e.g., in their use of the Windows NTLM library?
Update: I should have mentioned that I'd like to do this without forcing people to make changes in their browser settings.
According to
http://technet.microsoft.com/en-us/library/hh237448(v=ws.10).aspx
http://support.microsoft.com/kb/2461628/en-us
this is a Chrome / Firefox / Safari implementation restriction if
the client is running Windows 7 and the server has ExtendedProtectionTokenCheck set to
Require or Allow
the client is running Windows XP or Vista - without appropriate updates(!) and the server has ExtendedProtectionTokenCheck set to
Require
Maybe you can suppress Extended Protection on your clients with this:
http://support.microsoft.com/kb/976918/en-us
[...]
To control the extended protection behavior, create the following
registry subkey:
Key Name: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
Value Name: SuppressExtendedProtection
Type: DWORD
For Windows clients that support channel binding that are failing to
be authenticated by non-Windows Kerberos servers that do not handle
the CBT correctly:
1. Set the registry entry value to “0x01.”This will
configure Kerberos not to emit CBT tokens for unpatched applications.
2. If that does not resolve the problem, then set the registry entry
value to “0x03.”This will configure Kerberos never to emit CBT
tokens.
[...]
Extended Protection was designed to prevent kerberos ticket replay attacks.
As I understand it, it works in IE because the default for ADFS is Windows Integrated Authentication which IE handles "under the hood".
When I investigated this a while back, if I remember correctly, there is a workaround for Firefox.

Login without username and password from the web browser on Windows

I heard that on Windows you can login from a web browser to the web server without going through the usual login entering username and password but using instead the credentials from Windows directly, using the NTLM protocol.
How is this achieved? Does the web server need to support some additional authentication?
Update: I'm asking for a generic web server, not just IIS. How to do that on Apache for instance?
The webserver just needs to be configured to support Windows authentication (which will be NTLM, or - better - Kerberos if both client and server are W2K or later). I believe that IIS or Apache can be configured to do that.
The browser also has to support this - at least IE does so (not sure about the others, it may be possible). edit: looks like firefox has some support for this too, and safari on MacOS
edit: for details on apache, google modules for NTLM authentication. Kerberos modules also exist. as per other answers, this really only works on an Intranet - not just because the browser needs to be in an Intranet zone (only applies to IE), but because any intervening firewall will typically stop this working, and because the necessary interdomain trusts will probably not exist. It's also a bit trickier to make work if the apache server is on UNIX, and especially if you also have Kerberos servers on UNIX in the mix, but still possible.
It will only be seamless in a specific situation; namely the webserver needs to support NTLM (for example, IIS), and it needs to be in a zone that the client is configured to trust (The "Intranet Zone" in IE parlance, unless the end user has tweaked their settings)
If your webserver and client pc's are on a network secured by Active Directory or similar, you can set 'Windows Integrated Security' in IIS on the web server for the website which automatically logs in all I.E clients (That are allowed).
As stated previously, NTLM is typically used if your back end is Windows Managed (MS Active Directory). However, there are also modules available for Apache that will tie into this: mod_ntlm.
Since this is it's own protocol, it is required that the browser is able to understand this protocol and reply to the authentication challenges. I don't know which browsers support this off hand, but my assumption would be that most do.
From my experience, kerberos is more of a prefered method, but I have not worked with it much, so unfortunately, I don't have much advise as far as that goes.
On a side note, I recall reading somewhere that the JRE also has ways of tying into NTLM on your web server in order to obtain identity information for the authenticated user. As stated previously, .NET has support for this as well.
Also, Firefox does not support NTLM by default but it can be configured using the following tut: http://www.crossedconnections.org/w/?p=89
If you set the IIS settings to require authentication then your users will need to log in to access the page. They then have any rights (if not an interface) to anything on that server that they would if they logged in the normal way (from the console).
Other than this, I am not sure what you are referring to.
Yes this is possible. It is often used in intranet applications where users are. windows uses NTLM or Kerberos to authorize the user against a central service, typically Active Directory on the windows platform. On the .NET platform the current user information can be accessed through the System.Threading.Thread.CurrentPrincipal.Identity instance.
You might also want to look into Jespa. It seems a little bit more straight forward than Kerberos but provides good ntlm sso capabilities.
I was looking for more information about Kerberos (because NTLM, even v2, become deprecated with AD 2008), and I found this article, explaining how make it work with Apache (as you mentionned it).
http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/
This question is probably outdated (or at least solved), but if it can help someone ...

Resources