Microsoft deprecates NTLM and why this is an important step

Introduction

Microsoft deprecates NTLM (New Technology LAN Manager) and recommends transitioning to Kerberos as the primary authentication protocol. Kerberos is known for its enhanced cryptography and server authentication capabilities compared to NTLM.

https://aka.ms/ntlm

With the deprecation of NTLM, the method of cracking NTLM hashes from Active Directory will become obsolete. Kerberos uses different mechanisms for authentication which do not rely on the same type of vulnerable hashing as NTLM. Therefore, the techniques used to crack NTLM hashes will not be applicable to Kerberos authentication traffic.

The transition to Kerberos is part of Microsoft’s effort to improve security. NTLM has been known for its vulnerabilities, including weak encryption algorithms like MD4 and DES, making it susceptible to brute-force attacks. Kerberos, on the other hand, provides a more secure authentication method that is less prone to such attacks.

As NTLM is phased out, organizations and individuals who are involved in security testing or ethical hacking will need to update their skills and tools to work with Kerberos and other modern authentication protocols. Sadly, I think this will take some time for organisations to move away from NTLM, but lets see. I’m happy that Microsoft deprecates NTLM, that’s a fact!

What is password hash (NTLM) cracking in Active Directory?

Active Directory, a service provided by Microsoft, is a directory service for Windows domain networks. It is involved in various tasks, including managing user data, security, and distributed resources, and enabling interoperation with other directories.

Password hash cracking in AD involves attackers trying to determine the plaintext value of a hashed password stored of objects in the AD database. Attackers often use techniques like brute force, dictionary attacks, or rainbow table attacks to crack these hashes.

In an AD environment, once attackers compromise a single machine, they can use the hashed passwords they’ve cracked to move laterally, potentially gaining access to many parts of the network (also towards Azure and Entra ID – most companies sync their AAD sync accounts and privileged users there too).

Step 0 – How easy is it to crack NTLM hashes?

Well, pretty easy. I though it would be nice to demonstrate why Microsoft deprecates NTLM and how easily you can brute-force or retrieve passwords from known hashes and password dumps with tools like hashcat.

It’s important to note that cracking hashes without authorization is illegal and unethical, and such activities should only be performed by professionals within the scope of their work and with proper permissions.

Follow the steps below if this the case…

Step 1 – Retrieving NTLM hashes from you Active Directory

Retrieving hashes from Active Directory using ntdsutil is a sensitive operation. Again #2: it’s crucial to understand that only authorized personnel should perform this task due to the potential exposure of sensitive information.

If you’re planning to carry out extracting the hashes, do it manually first. I recommend going through these steps at least once to familiarize yourself with the configuration. Please ensure that you perform these steps from your Active Directory server:

1. Create a Snapshot of Active Directory Database
   • Open a command prompt as an Administrator.
   • Type ntdsutil and press Enter.
   • At the ntdsutil prompt, type snapshot and press Enter.
   • At the snapshot prompt, type activate instance ntds and press Enter.
   • Then type create and press Enter. This will create a snapshot of the Active Directory database.
   • Type quit twice to exit ntdsutil.
2. Mount the Snapshot
   • Again, open ntdsutil in a command prompt as an Administrator.
   • Type snapshot and press Enter.
   • At the snapshot prompt, type list all and press Enter. This will list all snapshots.
   • Find the snapshot you just created, and type mount {GUID}, replacing {GUID} with the GUID of the snapshot.
   • Note the directory where the snapshot is mounted.
   • Type quit twice to exit ntdsutil.

For the next time, you can also use ntdsutil from the commandline, with a small snippet and you can skip the manual steps:

ntdsutil "ac i ntds" "ifm" "create full c:\temp-folder-for-your-ntds-backup" quit quit

Step 2 – Extracting NTLM hashes

The subsequent step involves extracting the hashes (formatted as domain\uid:rid:lmhash:nthash) from the files you’ve generated with ntdsutil. There are several tools and scripts available for this purpose. The most frequently used is the secretsdump.py script from the Impacket Python library, which comes pre-installed on Kali Linux.

For additional details, you can visit the following page: Impacket GitHub page

If you’ve previously used secretsdump.py, you might have noticed that it can be quite time-consuming. That’s why I prefer using gosecretsdump these days. It’s a highly efficient and reliable fork of Impacket, written in Golang, and is approximately ten times faster.

Before proceeding, ensure that you have a Linux (Ubuntu) or Kali Linux machine. Then, follow these steps:

wget https://github.com/C-Sto/gosecretsdump.git
cd gosecretsdump
go run main.go -ntds /home/username/Extracted/ntds.dit -system /home/username/Extracted/SYSTEM -out /home/username/export.txt

Make sure you choose the correct paths for your extracted ntdis.dit, SYSTEM and export file (for the hashes). Gosecretsdump contains several commands you can use, refer to this:

https://github.com/c-sto/gosecretsdump

When you open the export file, you probably see an export of each user account or object in your Active Directory in this format:

<Username>:<User ID>:<LM hash>:<NT hash>:<Comment>:<Home Dir>:

The LM hash should be the same (aad3b435b51404eeaad3b435b51404ee), but the NT hash is the information you need to crack/reveal the AD password(s):

woodgrovedemo.nl\user1:1314:aad3b435b51404eeaad3b435b51404ee:8397b997d63ceaac54bfb668c1df408e:::
woodgrovedemo.nl\user2:1316:aad3b435b51404eeaad3b435b51404ee:0b446183b62698a4c8244c4fd05f8e5b:::
woodgrovedemo.nl\user3:1317:aad3b435b51404eeaad3b435b51404ee:a0a185fb6c4af7572c8c3a9b22f65bd1:::
woodgrovedemo.nl\user4:1318:aad3b435b51404eeaad3b435b51404ee:51d296acab46bda7be7b9cc4e0a76ad9:::
woodgrovedemo.nl\user5:1319:aad3b435b51404eeaad3b435b51404ee:d8cf73482d2881cfa2527af973dcfc99:::
woodgrovedemo.nl\user6:1320:aad3b435b51404eeaad3b435b51404ee:767d34df5630f36a37b2c10aa1db26ab:::
woodgrovedemo.nl\user7:1321:aad3b435b51404eeaad3b435b51404ee:e5d11b40eee8683f4b5b06b0019a369f:::
woodgrovedemo.nl\user7:1322:aad3b435b51404eeaad3b435b51404ee:271551af8082f23ce2231fe3183aa603:::

Step 3 – Using Hashcat

Hashcat is a versatile, open-source password cracking tool used extensively in cybersecurity and information security. It’s designed to recover passwords from various cryptographic algorithms and hash types through brute-force, dictionary, and hybrid attacks etc. Essentially, it systematically tries all possible password combinations until it discovers the correct one.

In my example, I will be using a wordlist (dictionary), to test them against the NTLM hashes in my dump. I could also try to recover passwords by rainbow tables or by brute-forcing them, but that strongly depends on the algorithm, the VM used, GPU etc. You’ll have to decide the goal and the solution you want to use.

The ultimate goal is to retrieve all the passwords, but that might take a while. On the bright side the cracking speed will be shorter every year:

^{Source: Google (these numbers might not be up-to-date but this is just as an example 🙂 )}

But where do you get the wordlists from? There are plenty of websites offering VERY good lists, with weak passes. Check out https://weakpass.com/ – they have 300GB+ of all-in-one lists and those are great. In my example I crafted a list of passwords for myself, with only Dutch passwords and saved it in a .txt format.

Now we are going to use Hashcat, you can also use John the Ripper or any other tool. But I’m using Hashcat the most, I think it’s very effective and has plenty of options (also for other hashing algorithms). Refer to their Wiki if you want to learn more about the options: https://hashcat.net/wiki/doku.php?id=example_hashes.

On my Kali Linux machine (forgot to mention I’m using an F-type machine on Azure) I can start cracking the hashes by the following command (make sure to use the export.txt file with hashes and after that the list of passwords):

hashcat -a 0 -m 1000 export.txt dutch_passwordlist.txt

After some time, you’ll get the results from Hashcat (yet again it depends on the quality of the wordlist, the VM, GPU, how many hashes to scan etc.). But here you go, easy as that:

Are there any other flaws in NTLM which make it weak?

Regardless of the hash cracking part, the reason Microsoft deprecates NTLM is also because NTLM has some other flaws:

1. Lack of mutual authentication: NTLM lacks mutual authentication. While the client verifies its identity to the server, the reverse is not true. This one-way authentication process can be exploited by attackers.
2. Outdated hashing and encryption algorithms: NTLM uses outdated hashing and encryption algorithms, which are more susceptible to cryptographic attacks compared to modern standards. These vulnerabilities can compromise the security of user credentials.
3. Challenge-response mechanism: NTLM relies on a challenge-response mechanism using hashed versions of user passwords. This approach has inherent weaknesses, including the possibility of pass-the-hash attacks.
4. Downgrade attacks: Attackers can manipulate NTLM to downgrade security features, potentially leading to full domain compromise.

So Kerberos cannot be cracked?

Regarding the possibility of Kerberos being cracked, while Kerberos is considered one of the most secure authentication protocols, no system is entirely invulnerable. There are known attacks such as Kerberoasting, Pass-the-Ticket, and Golden Ticket attacks that can exploit certain weaknesses in Kerberos.

However, these attacks require a significant level of access or knowledge about the network and are not as straightforward as cracking NTLM hashes. By following the security measures mentioned below, the risk of such attacks can be greatly reduced:

1. Strong password policies: Implement strong password policies to make it difficult for attackers to crack passwords associated with Kerberos tickets (YES so either way make sure always to use strong passwords/complexity/lenght).
2. Regularly update and patch: Keep your systems updated with the latest security patches to protect against known vulnerabilities.
3. Service Principal Name (SPN) Management: Properly manage SPNs to prevent Kerberoasting, which involves service accounts.
4. Monitor and Audit: Regularly monitor and audit Kerberos authentication for any unusual activities that could indicate an attack.
5. Disable unused accounts: Disable or remove unused accounts and services that might be targeted in Kerberos attacks.
6. Educate users: Train users on security best practices to prevent social engineering attacks that could compromise Kerberos authentication.
7. Use advanced encryption: Employ strong encryption methods like AES for encrypting Kerberos tickets to enhance security.
8. Limit privileges: Apply the principle of least privilege to minimize the potential impact of a compromised account (I recommend tiering, tiering and tiering).
9. Tooling: Use tooling like Bloodhound, Rubeus, MimiKatz etc. to identify risks in your own environment (or even break them) and look if you’re vulnerable.
10. Entra ID: Don’t forget to test/assess your Entra ID too (Dirkjanm created some great tools like ROADtools and Bloodhound-Azure-AD)

Conclusion

While Microsoft deprecates NTLM is a positive step toward enhanced security, it’s essential to recognize that Active Directory remains a critical component for many organizations. Legacy systems and dependencies necessitate its continued use. Our focus should shift toward securing Active Directory effectively. By implementing best practices, regular audits, and robust access controls, we can mitigate risks and ensure a safer environment for user authentication and authorization.