The dangers of NTLM vulnerabilities to business

NTLM stands for new technology LAN manager, which is a group of authentication protocols enclosed within Windows Msv1_0.dll (Microsoft Authentication Package v1.0). It is used to authenticate a user’s identity and protect the integrity and confidentiality of their activity.

The dangers of Version 1 NTLM to business operations 

NTLM is a single sign-on (SSO) tool that makes use of a challenge-response mechanism to prove to a server/domain controller to authenticate a user. The client sends a negotiation message to the server, which is responded to by a challenge message from that server, to be authenticated by the client.

There are two forms of NTLM:

• Version 1, released in 1993, uses an NT hash or KM hash, which are unsalted MD4 hashes of an account’s password. The hash is performed under a 16-byte random number challenge.
• Version 2, released in 1998, includes a timestamp and a username. Its hash also makes use of a variable-length challenge instead of a fixed length hash.

Even with the increasing risk of cyber-security threats, cyber-security experts at SecurityHQ are still seeing organisations using the older NTLMv1 version for authentication. The prime reason for this is that business-critical applications are dependent on it to maintain compatibility with older systems. It is also quite difficult to find which systems are still using this legacy protocol as the infrastructure of today’s organisations is both vast and intricate.

Another reason that organisations are still using this legacy authentication protocol, is that IT teams are not confident in the way systems will work after disabling the NTLMv1 protocol. Since the protocol is quite old, many IT teams were not involved in the implementation and are, therefore, anxious to put their trust in the change.

The risks – how NTML can compromise an organisation 

The following process outlines how NTLM works, and then highlights five ways it can compromise an organisation.

1. User enters their username and password for the domain with the client.
2. The client produces a disarranged version of the password, called a hash, using a hashing algorithm, deleting the full password.
3. The plaintext username is sent to the server.
4. The server responds to the client with a challenge, a 16-byte random number.
5. This client will return the challenge, which has been encrypted by the hash of the user’s password.
6. The server will send the challenge, response and username to the domain controller.
7. The domain controller retrieves the user’s password hash from the database and uses it to encrypt the challenge.
8. The domain controller then compares the encrypted challenge and the client response. If these match, the user is authenticated and granted access.

Due to the following reasons, this legacy authentication protocol of NTLMv1 can easily become compromised.

1. Weak cryptography: NTLMv1 uses old techniques for encrypting a hash, such as MP4, which can easily be cracked by hackers.
2. Man-in-middle attack: NTMLv1 is prone to man-in-the-middle attacks, as it has no technique to validate a server’s identity.
3. Lack of MFA: NTLMv1 is an SSO technique, and does not have any MFA-related capabilities, which makes it vulnerable to attacks.
4. Relay attacks: attackers can relay user privileges to another server; once there, lateral movement onto the network is made easier.
5. Brute force attack: NTLMv1 is prone to brute force attacks, as the password hashes are something which can be similar for any two users. Attackers can easily obtain this by running through known hashing algorithms, then brute force attacking until they get the right one until they get into the network.

Recommendations to businesses to safeguard against NTLM vulnerabilities 

• Always use the most up to date versions of systems and process, and regularly update devices.
• Ensure strong password protocols and multi-factor authentication on all devices.
• Train your team, so that they know how to spot vulnerabilities.
• Use vulnerability management to view and act on all vulnerabilities across all your digital platforms, including internet, applications, systems, cloud and hardware. Identify your weak points, monitor your online identity, verify issues and remediate in rapid time.

“Despite the ease of exploiting and breaking up the NTLM authentication sequence, leading up to compromising a user credential, NTLM is still widely used to maintain compatibility with legacy systems and applications. This leaves no option for a security team – for any organisation – but to ensure its related logs are closely audited and monitored by ingesting the Microsoft Domain-Controller Windows Security Events (specific set of event-ids) into an on-prem or cloud-hosted security information and events management (SIEM) solution. This SIEM must be equipped with all the relevant threat-detection scenarios to enable a real-time protocol anomaly detection, or any attempt at stealing password hashes or breaking the authentication flow between the user and the DC. SecurityHQ SOC team has a lot of expertise in detecting threats pertained to NTLM authentication and correlating such threats with other threat indicators coming from other third-party systems to get a holistic view of an attack sequence within any organisation.” – Islam Rashad, Regional Presales Lead, SecurityHQ

Having conducted incident response investigations across a wide range of industries, SecurityHQ is best-placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber-security incident. For more information on these threats, speak to an expert here.

Apurva Tikoo is Senior Cyber-Security Manager, SecurityHQ. She is responsible for handling and translating customer requirements to ensure quality service is delivered, and acts as security consultant for clients, helping them to enhance their security posture.

Patrick Henry Oliveira Fry is Graduate Cyber-Security Manager, SecurityHQ. He works with clients to maintain a secure environment and identify threats before they are exposed.

Eleanor Barlow is Content Manager, SecurityHQ. She is responsible for SecurityHQ’s global content strategy, including writing on the latest cyber-security-related threat intelligence.