This post will be the first in an ongoing series devoted to covering various modules in the Metasploit Framework and their uses. We hope that our readers will find this useful, as there are more modules added to the framework each day, as well as some obscure modules which are incredibly valuable. This entry in the series will examine one of the latter, the ntlm_info_enumeration module. However, before we dive right in, I think a brief journey through history is in order.
The Dark Ages:
Imagine a primitive penetration tester performing an external pentest who happens to have an OWA server in scope. Obviously he is going to want to brute force some user accounts there, because who doesn’t like reading emails that don’t belong to them? One problem he may encounter is that OWA can be configured to require user names to be in the format of AD DOMAIN\USER NAME (i.e. “contoso\bgates”).
In this case he could try to guess the domain name, and in some of instances that is easy enough, but guessing certainly isn’t a perfect solution. Our penetration tester wants to be as successful as possible, but he lacks sophistication and is forced to use crude techniques such as including a short list of possible domains in his brute force attack. For this reason, many organizations remained unbreached, and much employee email was unread, despite his best efforts.
The Industrial Revolution:
A lot has happened since The Dark Ages, penetration testers have evolved, and the attacks and techniques they employ are more sophisticated. One of the key advances was the discovery that during the NTLM authentication process, the Active Directory domain and NetBIOS name of the system are disclosed. Some historians credit coldfusion with the initial discovery of this information, but no definitive evidence has even been identified. In any case, pentesters are now able to identify the AD domain using a few manual steps. This is accomplished by first identifying a page that accepts NTLM authentication, and submitting an authentication request. In the reply, a base64 encoded value contains several pieces of data, including the AD domain. This technique is demonstrated in the following exclusive images, obtained by The War Room, from this time period:
While a definite improvement over the past, this is still a very manual technique. Our pentester would have to spend a considerable amount of time to check a large number of paths on several IP ranges. As pentesters are historically recognized as lazy, this is still not preferable.
The Information Age:
We now arrive in present day, where everyone on the Internet tells the truth, and vulnerabilities have their own logos. The modern pentester has no small amount of tools in his repertoire, chief among them is the Metasploit Framework. Metasploit is a popular tool among those in the industry because it makes accessible things that were previously out of reach. One of the ways this occurs is through automation. In fact, modules in the automated “scanner” group are widely regarded as some of the most useful in the entire framework. One module, specifically the ntlm_info_enumeration module written by kaospunk, automates the process identified during The Industrial Revolution.
By leveraging this module, our pentester can tear through ranges of systems at a time, increasing his chances of identifying the information he seeks and thus gaining access to the precious prize of other people’s mail.
Now that history class is over, we can explore this module in a little more detail. This module allows the pentester to rapidly identify an AD domain, and other information, from an NTLM authentication response. It supports both manually specifying a path, or testing several included in a default word list. As an auxiliary module, it is able to test multiple hosts, making this a go to tool when testing a large number of systems. While the focus in this post has been on using this information to gain access to OWA, other, arguably more alarming, opportunities as possible as well. Access to a VPN or Citrix system can prove invaluable during a penetration test, and even if OWA doesn’t provide any juicy information it is the perfect platform to phish other employees from. Hopefully this post has helped you understand the ntlm_info_enumeration module a little bit better, and given you some ideas about how it’s use can improve your ability to target Active Directory authentication externally.
Tune in next time for another exciting edition of The Metasploit Module of the Month!