During an offensive security engagement it may not be a major vulnerability that leads to your end-goal, but a combination of lower severity findings compounded to make a larger impact. This post discusses information disclosure through NTLM authentication, which is one of those smaller vulnerabilities that can lead to greater attacks under the right circumstances. Additionally, we will demonstrate methods for invoking an NTLM challenge response, even when no login page is present, to coerce this information.

在进行进攻性安全工作期间，它可能不是导致最终目标的主要漏洞，但严重程度较低的发现加在一起会产生更大的影响。 这篇文章讨论了通过NTLM身份验证进行的信息泄漏，这是在适当情况下可能导致更大攻击的较小漏洞之一。 此外，即使没有登录页面，我们也将演示用于调用NTLM质询响应的方法来强制此信息。

总览 (Overview)

NTLM is a challenge/response authentication protocol utilized by Windows systems in which the user’s actual password is never sent over the wire. Instead, the requesting client receives a challenge response from the server and must perform a calculation that proves their identity. I am far over simplifying this process, but the diagram below is a good example of how this authentication scheme works in a Windows AD environment.

NTLM是Windows系统使用的质询/响应身份验证协议，其中用户的实际密码永远不会通过网络发送。 相反，发出请求的客户端从服务器接收质询响应，并且必须执行证明其身份的计算。 我简化这个过程远远不止于此，但是下图是该身份验证方案在Windows AD环境中如何工作的一个很好的例子。

Now, how does this help in getting sensitive internal information? Once a target is identified as using NTLM authentication, we can initiate a connection and send anonymous (null) credentials, or the magic string “TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=”, that will prompt the server to respond with an NTLM Type 2 challenge response. This response message can be decoded to reveal information about the server, such as: NetBIOS, DNS, and OS build version information:

现在，这如何帮助获取敏感的内部信息？ 一旦目标被识别为使用NTLM身份验证，我们就可以启动连接并发送匿名(空)凭据或魔术字符串“ TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAAAAAAAA =”，这将提示服务器以NTLM Type 2质询响应进行响应。 可以对该响应消息进行解码以显示有关服务器的信息，例如：NetBIOS，DNS和操作系统内部版本信息：

Target_Name: DEMO NetBIOS_Domain_Name: DEMO NetBIOS_Computer_Name: SRV01 DNS_Domain_Name: demo.local DNS_Computer_Name: srv01.demo.local DNS_Tree_Name: demo.local Product_Version: 6.3.9600

影响力 (Impact)

During a penetration test this can be used to identify internal naming conventions, determine end-of-life operating systems, and discover internal DNS names. To describe one potential use-case for this data, the domain suffix, found in the decoded response, is often required for password spraying attacks against Outlook web applications. Targeting OWA is a common technique used by hackers to identify valid domain credentials, and made possible through this exposure.

在渗透测试期间，这可以用于标识内部命名约定，确定寿命终止的操作系统以及发现内部DNS名称。 为了描述此数据的一种潜在用例，对Outlook Web应用程序进行密码喷雾攻击时，通常需要在解码后的响应中找到域后缀。 定向OWA是黑客用来识别有效域凭据的一种常用技术，并且通过这种暴露成为可能。

Although not the most prestigious vulnerability, if found against a bug bounty target, you may be able to leverage this internal disclosure for a few quick points:

尽管不是最负盛名的漏洞，但如果针对漏洞赏金目标发现了此漏洞，则您可以在以下几点上利用这一内部披露：

开发 (Exploitation)

Typically, when visiting a website or directory requiring privileged access, the server will initiate a login prompt. This allows the client to send blank username and password values to check for NTLM authentication and receive the encoded response. However, if the target server is configured to allow windowsAuthentication, it may be possible to invoke this response without a login prompt. This can be done by adding “Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=” to the request headers.

通常，当访问需要特权访问的网站或目录时，服务器将启动登录提示。 这允许客户端发送空白的用户名和密码值，以检查NTLM身份验证并接收编码的响应。 但是，如果将目标服务器配置为允许Windows身份验证，则可以在没有登录提示的情况下调用此响应。 这可以通过在请求标头中添加“授权：NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAAAAA =”来完成。

Once an NTLM challenge is returned in the “WWW-Authenticate” value of the response headers, it can be decoded to capture internal information. I personally use Burp’s NTLM Challenge Decoder, but multiple other scripts have been written that can perform these actions.

在响应头的“ WWW-Authenticate”值中返回NTLM质询后，就可以对其进行解码以捕获内部信息。 我个人使用的是Burp的NTLM挑战解码器，但是已经编写了可以执行这些操作的多个其他脚本。

奖金回合 (Bonus Round)

Few may know the trick of adding the “Authorization” header to prompt a response from the server, but I recently discovered NTLM in other protocols that can be exploited using a similar approach. Through Telnet we can interact with other services, outside of the browser, to force an NTLM challenge response and decode this value to attain the same information.

很少有人知道添加“ Authorization”标头来提示服务器响应的技巧，但是我最近发现了其他协议中的NTLM，可以使用类似的方法加以利用。 通过Telnet，我们可以与浏览器之外的其他服务进行交互，以强制执行NTLM质询响应并对该值进行解码以获取相同的信息。

SMTP (SMTP)

root@kali: telnet example.com 587 220 example.com SMTP Server Banner >> HELO 250 example.com Hello [x.x.x.x] >> AUTH NTLM 334 NTLM supported >> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= 334 TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA

IMAP (IMAP)

root@kali: telnet example.com 143 * OK The Microsoft Exchange IMAP4 service is ready. >> a1 AUTHENTICATE NTLM + >> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= + TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA

＆ 更多… (& more…)

If you’ve spent any time around Windows you may have guessed this was possible, as NTLM authentication can be found in any number of places. Protocols such as: HTTP, SMTP, IMAP, POP3, RDP, MS-SQL, NNTP, TELNET, and more may also be susceptible to this type of disclosure. While exploiting this in other protocols requires more than just a Telnet session, we can easily automate the search using NMAP’s NSE scripts:

如果您在Windows上花了很多时间，您可能会猜想这是有可能的，因为可以在任何地方找到NTLM身份验证。 诸如：HTTP，SMTP，IMAP，POP3，RDP，MS-SQL，NNTP，TELNET等协议也可能易受此类公开的影响。 尽管在其他协议中利用此功能不仅需要Telnet会话，但我们可以使用NMAP的NSE脚本轻松地自动执行搜索：

root@kali: nmap -sS -v --script=*-ntlm-info --script-timeout=60s example.com Nmap scan report for x.x.x.x Host is up (0.0063s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http | http-ntlm-info: | Target_Name: IIS01 | NetBIOS_Domain_Name: IIS01 | NetBIOS_Computer_Name: IIS01 | DNS_Domain_Name: IIS01 | DNS_Computer_Name: IIS01 |_ Product_Version: 6.3.9600

This command will run NMAP against the target and execute the scripts listed below, given the proper ports are identified. By default, “http-ntlm-info.nse” will attempt an authentication request by adding the “Authorization” header against the server’s root page. This can be modified by adding “ — script-args http-ntlm-info.root=/EWS” to the command line arguments and adjusting the page value as needed.

给定正确的端口，此命令将对目标运行NMAP并执行下面列出的脚本。 默认情况下，“ http-ntlm-info.nse”将通过在服务器的根页面上添加“ Authorization”标头来尝试进行身份验证请求。 可以通过在命令行参数中添加“-脚本参数http-ntlm-info.root = / EWS”并根据需要调整页面值来进行修改。

结论 (Conclusion)

I have used some of these techniques during penetration tests to capture sensitive information, which ultimately led to greater attacks down the road. So next time your stuck on an engagement, or bug hunt, test out these methods for a quick win!

我在渗透测试期间使用了其中一些技术来捕获敏感信息，最终导致了更大的攻击。 因此，下一次您陷入订婚或寻宝活动时，请测试这些方法以快速获胜！

参考资料和其他资源： (References and Additional Resources:)

http://davenport.sourceforge.net/ntlm.htmlhttps://docs.microsoft.com/en-us/windows/win32/secauthn/microsoft-ntlmhttps://blog.gdssecurity.com/labs/2014/2/12/http-ntlm-information-disclosure.html

http://davenport.sourceforge.net/ntlm.html https://docs.microsoft.com/en-us/windows/win32/secauthn/microsoft-ntlm https://blog.gdssecurity.com/labs/2014/ 2/12 / http-ntlm-information-disclosure.html

Originally published at https://m8r0wn.com.

最初发布在 https://m8r0wn.com 。