Đang tải... (xem toàn văn)
The last few days I am playing around with wire shark and I must say I enjoy working with this program. It has saved the day for me a couple of times by giving me information that is only retrieved by looking at packet level. In this article I was looking at SMB and NTLM traffic in a windows environment. I noticed that our XP based network was running NTLMv1 that is considered unsecure. Let’s change this fast
SMB with Activity Directory Wireshark: Determining a SMB and NTLM version in a Windows environment The last few days I am playing around with wire shark and I must say I enjoy working with this program It has saved the day for me a couple of times by giving me information that is only retrieved by looking at packet level In this article I was looking at SMB and NTLM traffic in a windows environment I noticed that our XP based network was running NTLMv1 that is considered unsecure Let’s change this fast! Intro NTLM over a Server Message Block (SMB) transport is one of the most common uses of NTLM authentication and encryption Kerberos Protocol Extensions (KILE) is the preferred authentication method of an SMB session in Windows Server operating system and Windows Client operating systems However, when a client attempts to authenticate to an SMB server using the KILE protocol and fails, it can attempt to authenticate with NTLM The NT LAN Manager (NTLM) Authentication Protocol is used in Microsoft Windows Networks for authentication between clients and servers NTLM is used by application protocols to authenticate remote users and, optionally, to provide session security when requested by the application There are two major variants of the NTLM authentication protocol: the connection-oriented variant and the connectionless variant Each of these variants has three versions: LM, NTLMv1, and NTLMv2 In addition to authentication, the NTLM protocol optionally provides for session security—specifically message integrity and confidentiality through signing and sealing functions in NTLM For more in depth information I urge you to read this Microsoft NTLM documentation The following picture will show a protocol flow of NTLM and Simple and Protected Generic Security Service Application Program Interface Negotiation Mechanism (SPNEGO) authentication of an SMB session SMB with Activity Directory Step and – The SMB protocol negotiates protocol-specific options using the SMB_COM_NEGOTIATE request and response messages The client will send its supported dialects and the server will respond with the highest possible dialect The following dialect values are possible (older dialects are excluded here): Step – The client sends an SMB_COM_SESSION_SETUP_ANDX request message Assuming that NTLM authentication is negotiated, within this message an NTLM NEGOTIATE_MESSAGE is embedded SMB with Activity Directory Step – The server responds with an SMB_COM_SESSION_SETUP_ANDX response message within which an NTLM CHALLENGE_MESSAGE is embedded The message includes an 8-byte random number, called a “challenge”, that the server generates and sends in the ServerChallenge field of the message Step – The client extracts the ServerChallenge field from the NTLM CHALLENGE_MESSAGE and sends an NTLM AUTHENTICATE_MESSAGE to the server (embedded in an SMB_COM_SESSION_SETUP_ANDX request message) If the challenge and the response prove that the client knows the user’s password, the authentication succeeds and the client’s security context is now established on the server Step – The server sends a success message embedded in an SMB_COM_SESSION_SETUP_ANDX response message Wiresharking This article will only show how to find out which SMB and NTLM versions are used on your windows servers and windows clients while using Wireshark This is very useful to know because it has a great impact on your security There are many documents on the internet that show that LM and NTLMv1 are insecure these days therefore we need to ensure that these authentication methods are not allowed inside the windows network Thus we need to ensure that NTLMv2 only is allowed This behavior can be changed on windows servers and clients at the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa REG_DWORD Valuename: lmcompatibilitylevel The following values can be used: SMB with Activity Directory So you’re actually configuring a minimum security level here Now let’s take a look which values are used by default per OS type: We can conclude that if we have an XP client and a windows 2008 R2 server with default settings it will always use NTLMv1 If we use an Windows or Vista client and a windows 2008 R2 server it will use NTLMv2 Lets fire up Wireshark and take a look what’s happening “on the wire” SMB with Activity Directory Windows XP client and Windows 2008 R2 server (default settings) In this scenario a Windows XP client (10.0.0.2) tries to connect to a Windows 2008 R2 Server (10.0.0.1) share Let’s take a look at the SMB negotiate protocol request: The highest possible dialect that the Windows XP client can speak is NT LM 0.12 Thus SMB v1.0 Let’s take a look how the Windows 2008 R2 server will respond: SMB with Activity Directory The Windows 2008 R2 server responds its capable of SMB v1.0 (NT LM 0.12) and this is used to access the share Let’s take a look which version of NTLM it uses by looking at the Session setup andX request: NTLMSSP_AUTH packet SMB with Activity Directory There is no NTMLv2 section here so it is using NTLMv1 Thus insecure !! SMB with Activity Directory Windows client and Windows 2008 R2 server (default settings) In this scenario a Windows Client (10.0.0.3) tries to connect to a Windows 2008 R2 Server (10.0.0.1) share Let’s take a look at the SMB negotiate protocol request: The highest possible dialect that the Windows client can speak is SMB 2.??? Thus SMB v2.0 Wildcard Let’s take a look how the Windows 2008 R2 server will respond: SMB with Activity Directory The Windows 2008 R2 server responds its capable of 0x02ff (hexadecimal value for SMBv2.0 wildcard) You can also see that the protocol column switches from SMB to SMB2 Now the Windows clients needs to know which SMB2 version will be used for communication Let’s take a look at the new SMB2 negotiate protocol request: SMB with Activity Directory The highest possible SMB2 dialect that the Windows client can speak is more specific now It can use 0x0202 or 0x0210 Thus SMB v2.002 or SMB v2.1 Let’s take a look how the Windows 2008 R2 server will respond: 10 SMB with Activity Directory The Windows 2008 R2 server responds its capable of 0x210 (hexadecimal value for SMBv2.1) and this is used to access the share Let’s take a look which version of NTLM it uses by looking at the Session setupRequest, NTLMSSP_AUTH packet 11 SMB with Activity Directory The picture clearly shows that there is an NTLMv2 response Is there a quicker way to determine NTLMv1 or NTLMv2 authentication? Yes We can this by entering ntlmssp.ntlmv2response into the filter field Wireshark will filter out ntlmv2 traffic only 12 SMB with Activity Directory Back to our little problem We have a network running with XP clients and windows 2008 R2 server with default settings on GPO level We saw that NTLMv1 will be used for authentication and thus insecure We need to change this so the XP machines will authenticate by using NTLMv2 We can achieve this by change the Lmcompatibilitylevel value to The best way to achieve this is by placing all Windows XP clients into an OU and configure a computer GPO policy 13 SMB with Activity Directory Or Note : You can choosen “Send LM & NTLM – user MTLMv2 session secureity if negotiated” 14 SMB with Activity Directory Before you change the server side to Lmcompatibilitylevel value you must be absolutely sure that every Windows XP Client uses NTLMv2 or your phone will start ringing very often You can achieve this by changing the default domain controllers policy or by placing a GPO on an OU with servers When the server and client side are changed to NTLMv2 you have achieved the highest NTLM authentication possible Thus 15 SMB with Activity Directory the most secure NTLM form possible This ends my article about Determining a SMB and NTLM version in a windows environment I hope it’s useful somehow and feel free to comment Copy link : https://richardkok.wordpress.com/2011/02/03/wireshark-determininga-smb-and-ntlm-version-in-a-windows-environment/ 16 [...]... authentication possible Thus 15 SMB with Activity Directory the most secure NTLM form possible This ends my article about Determining a SMB and NTLM version in a windows environment I hope it’s useful somehow and feel free to comment Copy link : https://richardkok.wordpress.com/2011/02/03/wireshark-determininga -smb- and- ntlm- version- in -a- windows- environment/ 16 .. .SMB with Activity Directory The Windows 2008 R2 server responds its capable of 0x210 (hexadecimal value for SMBv2.1) and this is used to access the share Let’s take a look which version of NTLM it uses by looking at the Session setupRequest, NTLMSSP_AUTH packet 11 SMB with Activity Directory The picture clearly shows that there is an NTLMv2 response Is there a quicker way to determine NTLMv1 or NTLMv2... side to Lmcompatibilitylevel value 5 you must be absolutely sure that every Windows XP Client uses NTLMv2 or your phone will start ringing very often You can achieve this by changing the default domain controllers policy or by placing a GPO on an OU with servers When the server and client side are changed to NTLMv2 you have achieved the highest NTLM authentication possible Thus 15 SMB with Activity Directory... or NTLMv2 authentication? Yes We can do this by entering ntlmssp.ntlmv2response into the filter field Wireshark will filter out ntlmv2 traffic only 12 SMB with Activity Directory Back to our little problem We have a network running with XP clients and windows 2008 R2 server with default settings on GPO level We saw that NTLMv1 will be used for authentication and thus insecure We need to change this... the XP machines will authenticate by using NTLMv2 We can achieve this by change the Lmcompatibilitylevel value to 5 The best way to achieve this is by placing all Windows XP clients into an OU and configure a computer GPO policy 13 SMB with Activity Directory Or Note : You can choosen “Send LM & NTLM – user MTLMv2 session secureity if negotiated” 14 SMB with Activity Directory Before you change the ... fire up Wireshark and take a look what’s happening “on the wire” SMB with Activity Directory Windows XP client and Windows 2008 R2 server (default settings) In this scenario a Windows XP client... that if we have an XP client and a windows 2008 R2 server with default settings it will always use NTLMv1 If we use an Windows or Vista client and a windows 2008 R2 server it will use NTLMv2 Lets... XP machines will authenticate by using NTLMv2 We can achieve this by change the Lmcompatibilitylevel value to The best way to achieve this is by placing all Windows XP clients into an OU and