- Which tool should I use to check which NTLM authentication is used? Consider the fact that I am a user of the web application and not the owner.
- Are there any security concerns if a site uses NTLM authentication comparing to form-based authentication?
Asked
Active
Viewed 2.1k times
3
one
- 1,781
- 3
- 18
- 45
1 Answers
1
Forms-based authentication over proper, validated TLS is the modern way forward for web application authentication that require non-SSO (Single Sign On) capabilities (e.g., SAML, OpenID, OAuth2, FIDO, et al).
NTLM authentication is only utilized in legacy networks. Microsoft no longer turns it on by default since IIS 7. Microsoft Domains and/or Forests with a Windows Server 2012 R2 functional level do not even support NTLM authentication by default. Thus, its use is contraindicated.
Cleartext authentication, such as via non-SSL/TLS HTTP, will result in compromise of the web app's credentials -- regardless of how strong the NTLM authentication (or other authentication) is, primarily because of Man-in-the Middle (MITM) scenarios, but also for many other credential-collecting reasons (see the net-creds or the PCredz tools).
If you want to see what NTLM looks like on the wire (MITM scenario optional), check out this blog post which states the following:
The essential difference between NTLM and NTLMv2 is how the response is calculated. NTLM uses MD4 and DES in a weak way which is well known (5 NULL bytes yada yada yada); NTLMv2 uses HMAC-MD5 based on more than just the password and challenge, which is where the “blob” comes in. So that’s covered off the “challenge”, “HMAC-MD5″ and “blob” that’s missing from the John hash I’m having to build up from scratch.
The author then goes on to show an HTTP message with the Wireshark tool.
In some scenarios, I believe it is possible to reverse which exact NTLM protocol is in use by just connecting to a HTTP-NTLM authenticating web server.
As seen in the book, Network Security Assessment, 3rd Edition:
root@kali:~# telnet 192.168.0.10 80
Trying 192.168.0.10...
Connected to 192.168.0.10.
Escape character is '^]'.
GET / HTTP/1.1
Host: iis-server
Authorization: Negotiate TlRMTVNTUAABAAAAB4IAoAAAAAAAAAAAAAAAAAAAAAA
HTTP/1.1 401 Access Denied
Server: Microsoft-IIS/5.0
Date: Mon, 09 Jul 2007 19:03:51 GMT
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAADgAOADAAAAAFgoGg9IrB7KA92AQAAAAAAAAAAGAAYAA+AAAAVwBJAEQARwBFAFQAUwACAA4AVwBJAEQARwBFAFQAUwABAAgATQBBAFIAUwAEABYAdwBpAGQAZwBlAHQAcwAuAGMAbwBtAAMAIABtAGEAcgBzAC4AdwBpAGQAZwBlAHQAcwAuAGMAbwBtAAAAAAA=
Content-Length: 4033
Content-Type: text/html
Upon decoding the data, the following strings are revealed:
NTLMSSP0
WIDGETS
MARS
widgets.com
mars.widgets.com
To understand those variables and further HTTP-based NTLM authentication, check out the resources here -- http://www.innovation.ch/personal/ronald/ntlm.html -- as well as in the old presentation on Cracking NTLMv2 Authentication -- http://www.blackhat.com/presentations/win-usa-02/urity-winsec02.ppt (for the different NTLM SSP provider internals)
atdre
- 18,885
- 6
- 58
- 107
-
1No NTLM in 2012 R2 domains? Only if you are added to the Protected Users group. – Chalky Apr 20 '21 at 19:08