Cyber Security News

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured on-premises applications can bypass Group Policy settings intended to disable NTLMv1. This vulnerability enables attackers to exploit the outdated authentication protocol.

The bypass allows attackers to intercept NTLMv1 traffic, crack user credentials offline, and gain unauthorized access within the network that poses a significant risk to organizations reliant on on-premises applications and those with diverse device environments. 

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Risks of NTLMv1 Exploitation in On-Premises Applications

NTLMv1 is an outdated authentication protocol and remains a security risk in many Windows environments. While Microsoft has deprecated NTLMv1 active development and implemented measures like domain-wide blocking, its complete removal remains challenging due to legacy systems. 

Organizations must carefully assess their reliance on NTLMv1 and implement robust mitigation strategies by prioritizing the migration to more secure authentication protocols like Kerberos and modern alternatives to minimize their exposure to these risks.

Simple NTLM Authentication

The client initiates authentication by sending a Negotiate message to the server and declaring its NTLM support, while the server responds with a Challenge message containing a random number. 

Then the client hashes this number with its credentials and sends the result along with its username, domain, and session information in an Authenticate message while the server validates the hash and grants the access if successful. 

NTLMv1 Vulnerabilities

NTLMv1 suffered from weaknesses such as weak encryption (DES), which is a predictable 8-byte server challenge and the lack of source/destination information that enabled relay attacks. 

Reject NTLMv1 with GP enabled

NTLMv2 addressed these issues by implementing stronger RC4 encryption  by introducing a client challenge and incorporating AV_PAIRS to create unique session keys for each authentication.

Active Directory servers rely on the Netlogon RPC interface to evaluate NTLM messages remotely and verify credentials against the Domain Controller and ensure secure authentication.

The MS-NRPC protocol specification contains a flag within the NETLOGON_LOGON_IDENTITY_INFO structure that allows applications to bypass Group Policy restrictions and use NTLMv1 authentication even when it is explicitly disabled. 

Bypass the NTLMv1 Group Policy.

This “Allow NTLMv1 authentication” flag within the ParameterControl field instructs the Netlogon service to permit NTLMv1 authentication despite the LMCompatibilityLevel registry key being set to prevent it. 

By taking advantage of this flag, malicious applications are able to get around security measures that are intended to completely eliminate the vulnerabilities and are associated with NTLMv1.

The recent disclosure of an NTLMv1 bypass in Windows highlights the limitations of Group Policy in fully mitigating this outdated authentication protocol. 

While Windows clients with higher LMCompatibilityLevel settings resist NTLMv1 requests, non-Windows clients and certain applications can still trigger NTLMv1 authentication that bypasses security measures. 

According to Silver Fort, organizations must enable NTLM audit logs by comprehensively mapping applications using NTLM and proactively detecting and remediating vulnerable applications by implementing modern authentication methods like SSO or Kerberos. 

This proactive approach aligns with Microsoft’s commitment to enhancing security by phasing out NTLMv1 and demonstrates the importance of continuous monitoring and remediation efforts to ensure a secure IT environment.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Dell Alerts Users to Critical PowerScale OneFS Flaws Enabling Account Takeover

Dell Technologies has issued an urgent security advisory to its users, warning of several critical…

22 minutes ago

SonicWall Patches Multiple Vulnerabilities in NetExtender Windows Client

SonicWall has issued a critical alert concerning multiple vulnerabilities discovered in its NetExtender Windows client.…

31 minutes ago

Cable: Powerful Post-Exploitation Toolkit for Active Directory Attacks

Cybersecurity researchers are raising alarms about Cable, a potent open-source post-exploitation toolkit designed to exploit Active…

2 hours ago

Langflow AI Builder Vulnerability Allows Remote Server Takeover by Attackers

A critical security vulnerability has been discovered in the Langflow AI Builder, a popular tool…

2 hours ago

Hackers Claim WooCommerce Breach Exposing 4.4 Million Customer Records

A hacker operating under the alias “Satanic” has claimed responsibility for a massive data breach…

2 hours ago

TP-Link Smart Hub Flaw Exposes Users’ Wi-Fi Credentials

A critical vulnerability has been discovered in TP-Link’s Smart Hub, potentially exposing users’ Wi-Fi credentials…

3 hours ago