Given that the concept - and the field - of "cybersecurity" has been around for decades, it would be easy to think that we have made major strides in that field since the first person had the idea that digital systems should maybe be protected. And while that may be true for some, sometimes today's cybersecurity looks no different than it did in the 90's. This is just one of many examples...
Recently, I performed an "Assumed Breach" pentest for a client. I was provided with a low-privileged user account for their windows domain as well as VPN access to their network. Pretty quickly, I figured out that they were quite resilient against most of the usual quick wins - a (mostly) hardened domain controller, no Active Directory Certificate Services (ADCS), no overly permissive Access Control Lists (ACLs). So I spent a bit more time on reconnaissance. And soon after, I found something very useful indeed. On a publicly accessible network share, there were the installation files of a program that does database access. Among other things, there was a .config file with connection information to a database server. And apparently, the access was realized via a domain account. Meaning, contained in that .config were a username and cleartext password for another account in the client's Active Directory domain.
So, the first thing I did was trying to use the credentials I found to log on to the database server described in the aforementioned .config file.
Not only did it work, the account also was equipped with local administrative privileges on the database server.
That was step one.
Secondly, I dumped the local Security Accounts Manager (SAM) database to get the password hashes of local user accounts.
With that, step two was complete.
Among them was the NTLM hash
of the local default administrative account named Administrator.
Disclaimer: Using NTLM authentication is not recommended anymore. Microsoft recommends to disable it completely and rely purely on Kerberos authentication. However, among among over a hundred of Windows infrastructures that I have seen, only a single one had NTLM disabled. This is just one of many examples of companies lacking far behind the state-of-the-art of cybersecurity.
I then used the hash for hash spraying, a variation of password spraying that uses the password hash (using a technique called Pass-the-Hash) instead of the cleartext password.
And yes, NTLM hashes can be used for authentication just as well as cleartext passwords.
No amount of password strength can protect against that.
I found that almost all servers used the same password for their local Administrator account, allowing me to log in.
Even worse than that, among those servers was the domain controller of the client's domain.
I used Pass-the-Hash (PtH) to log in.
Step three complete.
Domain 0wned.
Ignoring the time spent on reconnaisance and trial-and-error, the above-described attack, beginning to end, would be feasible in a few minutes.
Hell, maybe you could pull it off in 60 seconds if your life was on the line.
The two main issues here were the storage of cleartext passwords and the reuse of passwords.
Problems that we had and that hackers exploited since the 90's or even earlier.
And believe me when I say that this is far from a fringe case.
I experienced a lot of stories like this - maybe I will share some more of them here in the future.
In my experience, this is the norm, even in a lot of major corporations.
While we have fancy EDRs, IDSs, SIEMs, SOCs and whatnot, we should remember never to neglect the basics.
Detecting hackers is good, preventing them before that becomes necessary is even better.