Tag Archive: NTLM


Full article:

https://401trg.com/an-introduction-to-smb-for-network-security-analysts/

 

Introduction:

At its most basic, SMB is a protocol to allow devices to perform a number of functions on each other over a (usually local) network. SMB has been around for so long and maintains so much backwards compatibility that it contains an almost absurd amount of vestigial functionality, but its modern core use is simpler than it seems. For the most part, today SMB is used to map network drives, send data to printers, read and write remote files, perform remote administration, and access services on remote machines.

SMB runs directly over TCP (port 445) or over NetBIOS (usually port 139, rarely port 137 or 138). To begin an SMB session, the two participants agree on a dialect, authentication is performed, and the initiator connects to a ‘tree.’ For most intents and purposes, the tree can be thought of as a network share.[1] The PCAP below, shown in Wireshark, demonstrates a simple session setup and tree connect. In this case, the machine 192.168.10.31 is connecting to the “c$” share (equivalent to the C:\ drive) on the 192.168.10.30 machine, which is called “admin-pc

 

Advertisements

When you connect to remote Server Message Block (SMB) services shares by using \\192.x.y.z\share name, Kerberos is not used, and the Internet Protocol (IP) SMB file share access does not use Kerberos. A network trace shows the following Kerberos error in the KRB_ERROR: Server not found in Kerberos database

Cause:

By default, Microsoft Windows Server 2003 and Microsoft Windows 2000 try to use Kerberos as the security provider. When a client uses Kerberos to authenticate itself to a server, the client requests a session ticket for the Service Principal Name (SPN). IP addresses are not names, so Kerberos is not used. After this occurs, the server goes through the list of the other supported security providers.

Status:

This behavior is by design.
IP addresses typically change, and it is not workable to add these addresses as SPNs. An SPN can be one of the following:

•The DNS name for the domain.
•The DNS name of a host.
•The distinguished name of a service connection point object.

Some interesting sites:

Windows 10 security hardening:

https://www.asd.gov.au/publications/protect/Hardening_Win10.pdf

Delegate WMI access to domain controllers:

This post originally came about after several customers asked how to remove users accounts from Domain Admins and the Administrators group in the domain. These accounts are needed to monitor the systems, so we needed to find a way to get them to read the instrumentation of the system with non-elevated privilege.

https://blogs.technet.microsoft.com/askpfeplat/2018/04/30/delegate-wmi-access-to-domain-controllers/

 

Reference articles to secure a Windows domain:

https://github.com/PaulSec/awesome-windows-domain-hardening

Microsoft audit Policy settings and recommendations:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

Sysinternals sysmon:

https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

On ADsecurity.org:

Beyond domain admins: https://adsecurity.org/?p=3700

Gathering AD data with PowerShell: https://adsecurity.org/?p=3719

Hardening Windows computers, secure Baseline check list: https://adsecurity.org/?p=3299

Hardening Windows domain, secure Baseline check list:

Securing Domain Controllers to Improve Active Directory Security

Domain hardening in general:

 

List of items
Setting Up Jump server
Domain joining of all windows boxes
Proper account Management Based on privileges
Usage of service accounts to run application instead of local system accounts
Review of existing AD accounts/Deletion of Unnecessary Accounts/ Review Ou structuring/GPO etc
HoneyToken Account Creation in Local boxes as well domain
GPO changes for disabling guest accounts across system,restricted RDP mode,Password Policy changes,disabling internet in member servers
GPO for Jump server implementation based on PAW GPO settings
Rename existing builtin Administrator account and lockdown
Sysmon deployment and WEF setup (WEC for symon events)
Ping castle review to assess the AD security
FGPP implementation
LAPS Implementation
Process for proper cleanup of unused AD accounts
Reset of krbtgt account,domain admins account,It administrators account

One of the issues we run into when requesting new certificates from ADCS is the dreaded 401 Unauthorized issue with Certsrv.

Symptom

  1. Type the URL for your Certificate Server
    http://server/certsrv
  2. You are prompted for administrator credentials
  3. You enter said credentials
  4. You are again prompted for administrator credentials
  5. You enter said credentials
  6. You are presented with a 401 Unauthorized error message
  7. You bang your head against your desk in frustration

Cause

The IIS server is not negotiating your credentials correctly.

Solution

http://blog.armgasys.com/?p=250

 

 

 

NTLM-SMB flow

On Windows/Samba computers, here is a table to list all LM compatiblity level registry setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/MSV1_0/LmCompatbilityLevel” to “3”

NTLM

GPO setting:

gpo-lmcompatiblitylevel