THE NTLM/NTLMV2 AUTHENTICATION PROTOCOLS

Welcome N1NJ10, Today we will discuss a new topic what is NTLM/V2, How it work , can we crack it, and many topics in detail as we know from the previous articles

NextSQL 101

Last updated 7 months ago

THE NTLM/NTLMV2 AUTHENTICATION PROTOCOLS

Welcome N1NJ10, Today we will discuss a new topic what is NTLM/V2, How it work , can we crack it, and many topics in detail as we know from the previous articles

Let’s start

First, let’s define What is NTLM Protocol and Why we need it ?

NTLM is a suite of authentication and session security protocols used in various Microsoft network protocol implementations and supported by the NTLM Security Support Provider (“NTLMSSP”). Originally used for authentication and negotiation of secure DCE/RPC, NTLM is also used throughout Microsoft’s systems as an integrated single sign-on mechanism.

It uses in many apps such POP3, SMTP, IMAP, SMB, …..

The NTLM Security Support Provider provides :

Authentication :NTLM provides a challenge-response authentication mechanism, in which clients are able to prove their identities without sending a password to the server.
Signing :The NTLMSSP provides a means of applying a digital “signature” to a message. This ensures that the signed message has not been modified (either accidentally or intentionally) and that the signing party has knowledge of a shared secret. NTLM implements a symmetric signature scheme (Message Authentication Code, or MAC); that is, a valid signature can only be generated and verified by parties that possess the common shared key.
Sealing : The NTLMSSP implements a symmetric-key encryption mechanism, which provides message confidentiality. In the case of NTLM, sealing also implies signing (a signed message is not necessarily sealed, but all sealed messages are signed).

Ok now we know the importance of NTLM protocol let’s see how it works

Frist The client sends a Type 1 message to the server. This primarily contains a list of features supported by the client and requested of the server.
Second The server responds with a Type 2 message. This contains a list of features supported and agreed upon by the server. Most importantly, however, it contains a challenge generated by the server.
Third The client replies to the challenge with a Type 3 message. This contains several pieces of information about the client, including the domain and username of the client user. It also contains one or more responses to the Type 2 challenge.

But what is Type 1,2,3 massage is ??

Type 1 massage

The Type 1 message is sent from the client to the server to initiate NTLM authentication. Its primary purpose is to establish the “ground rules” for authentication by indicating supported options via the flags. Optionally, it can also provide the server with the client’s workstation name and the domain in which the client workstation has membership; this information is used by the server to determine whether the client is eligible for local authentication. You can see important information for it such Domain Name , Workstation Name , Account , Host Name , …

Here is a Wireshark screenshot :

Type 2 massage

The Type 2 message is sent by the server to the client in response to the client’s Type 1 message. It serves to complete the negotiation of options with the client, and also provides a challenge to the client. It may optionally contain information about the authentication target. You can got Target Information structure , challenge , …

But what is the challenge ?

Ok first you need to know that all you credentials are saved into the NTLM server so he know your Username , Password

The small pic :

The server need to identify that you are the real person you enter his Username , So he makes a good trick he sends to you a random string and from your saved Password he generates 3 DES keys and encrypted it with these keys and send you the random string he generates and asks you to encrypte this string with your Password In the same way as i encrypte them

If the User send the same encrypted string as the server , So he is the real user make him in , If not This incident will be reported

N0tes : how the challenge be made in detailed
- The password you inter is converted to uppercase fady → FADY → 0x46414459 cuz This significantly reduces the set of possible passwords that must be tested in a brute-force attack.
- This password is null-padded to 14 bytes → 0x46414459000000 ,
- split into two 7-byte halves 0x4641445-0x9000000 , We can exploit it if the password is seven or fewer characters, the second value will be 7 null bytes. This effectively compromises half of the LM hash (as it will always be the ciphertext of “KGS!@#$%” encrypted with the DES key “0x0101010101010101” — the constant “0xaad3b435b51404ee”). This in turn compromises the three DES keys used to produce the response.

Here is a Wireshark screenshot :

Type 3 massage

The Type 3 message is the final step in authentication. This message contains the client’s responses to the Type 2 challenge, which demonstrate that the client has knowledge of the account password without sending the password directly. The Type 3 message also indicates the authentication target (domain or server name) and username of the authenticating account, as well as the client workstation name , Response , Target Information structure , …

Here is a Wireshark screenshot :

The NTLM authentication protocol, especially v1, poses a serious security threat to any IT environment and every hacker should know how it works and how exploit it

in the future articles we will discuss how to exploit this protocol in several ways , stay tuned

I enjoyed the article , and would post more future security stuff in the future.

NextSQL 101

Last updated 7 months ago

Let’s start

First, let’s define What is NTLM Protocol and Why we need it ?

It uses in many apps such POP3, SMTP, IMAP, SMB, …..

The NTLM Security Support Provider provides :

Authentication :NTLM provides a challenge-response authentication mechanism, in which clients are able to prove their identities without sending a password to the server.
Signing :The NTLMSSP provides a means of applying a digital “signature” to a message. This ensures that the signed message has not been modified (either accidentally or intentionally) and that the signing party has knowledge of a shared secret. NTLM implements a symmetric signature scheme (Message Authentication Code, or MAC); that is, a valid signature can only be generated and verified by parties that possess the common shared key.
Sealing : The NTLMSSP implements a symmetric-key encryption mechanism, which provides message confidentiality. In the case of NTLM, sealing also implies signing (a signed message is not necessarily sealed, but all sealed messages are signed).

Ok now we know the importance of NTLM protocol let’s see how it works

Frist The client sends a Type 1 message to the server. This primarily contains a list of features supported by the client and requested of the server.
Second The server responds with a Type 2 message. This contains a list of features supported and agreed upon by the server. Most importantly, however, it contains a challenge generated by the server.
Third The client replies to the challenge with a Type 3 message. This contains several pieces of information about the client, including the domain and username of the client user. It also contains one or more responses to the Type 2 challenge.

But what is Type 1,2,3 massage is ??

Type 1 massage

The Type 1 message is sent from the client to the server to initiate NTLM authentication. Its primary purpose is to establish the “ground rules” for authentication by indicating supported options via the flags. Optionally, it can also provide the server with the client’s workstation name and the domain in which the client workstation has membership; this information is used by the server to determine whether the client is eligible for local authentication. You can see important information for it such Domain Name , Workstation Name , Account , Host Name , …

Here is a Wireshark screenshot :

Type 2 massage

The Type 2 message is sent by the server to the client in response to the client’s Type 1 message. It serves to complete the negotiation of options with the client, and also provides a challenge to the client. It may optionally contain information about the authentication target. You can got Target Information structure , challenge , …

But what is the challenge ?

Ok first you need to know that all you credentials are saved into the NTLM server so he know your Username , Password

The small pic :

If the User send the same encrypted string as the server , So he is the real user make him in , If not This incident will be reported

N0tes : how the challenge be made in detailed
- The password you inter is converted to uppercase fady → FADY → 0x46414459 cuz This significantly reduces the set of possible passwords that must be tested in a brute-force attack.
- This password is null-padded to 14 bytes → 0x46414459000000 ,
- split into two 7-byte halves 0x4641445-0x9000000 , We can exploit it if the password is seven or fewer characters, the second value will be 7 null bytes. This effectively compromises half of the LM hash (as it will always be the ciphertext of “KGS!@#$%” encrypted with the DES key “0x0101010101010101” — the constant “0xaad3b435b51404ee”). This in turn compromises the three DES keys used to produce the response.

Here is a Wireshark screenshot :

Type 3 massage

The Type 3 message is the final step in authentication. This message contains the client’s responses to the Type 2 challenge, which demonstrate that the client has knowledge of the account password without sending the password directly. The Type 3 message also indicates the authentication target (domain or server name) and username of the authenticating account, as well as the client workstation name , Response , Target Information structure , …

Here is a Wireshark screenshot :

The NTLM authentication protocol, especially v1, poses a serious security threat to any IT environment and every hacker should know how it works and how exploit it

in the future articles we will discuss how to exploit this protocol in several ways , stay tuned

I enjoyed the article , and would post more future security stuff in the future.