Announcement

Collapse
No announcement yet.

Portal Login method is this a problem?

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Portal Login method is this a problem?

    Company X has a portal login on their webserver for employee and vendor logins. Sniffing the traffic after logging in as an employee I see that the password is sent as NTLM hash.

    Since the hash itself is being sent cleartext it can be intercepted and then run against a set of rainbow tables, etc. I imported the .pcap into Cain and gave the cracker a custom set of alphanumerics and did "crack" the hash.

    But what are the other issues? Could this hash also just be spoofed by someone else and sent to the server and then a 3rd party could gain entry?

    This isn't my area of expertise so if you've got comments I'd love to hear them.
    Tags: None
  • #2
    Re: Portal Login method is this a problem?

    Probably, sounds similar to a session replay attack. Definitely a poor security design.

    Comment

    • #3
      Re: Portal Login method is this a problem?

      If their application supports it they should probably be using NTLMv2 instead of NTLM. That can be configured via a GPO or local security policy on the server itself.
      A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

      Comment

      • #4
        Re: Portal Login method is this a problem?

        SSL is pretty cheap these days :-)

        and yes, +1 to NTLMv2
        Network Jesus died for your SYN

        Comment

        • #5
          Re: Portal Login method is this a problem?

          as NTLM auth uses a challenge/response set it won't be possible to directly run it against rainbow tables after sniffing a direct connection, as you won't know the challenge up front. You can of course do a MITM via dnsspoof and while posing as the server being authenticated to you can send your own non-random challenge for which you have generated/downloaded rainbow tables and receive a password hash with a known challenge. Yet as you have apparently cracked the hash I assume this is the method you used.

          Also, even with SSL and NTLMv2 it's still possible to capture a hash using a MITM attack and posing as the portal server (as users will always click 'ignore certificate warning'), however cracking NTLMv2 is a bit less feasible, yet still entirely possible. So it all comes down to user awareness again.
          A direct replay of the type 3 authentication packet is also infeasible because of this challenge/response system.

          I'm with bjaming on using SSL, any sort of authentication over plain old HTTP is a big no-no these days, even NTLMv2. Also it's very important to force the use of only NTLMv2 and not just 'prefer' it, as someone in the traffic path can easily force a downgrade to NTLM or LM then.

          Comment

          • #6
            Re: Portal Login method is this a problem?

            I ran wireshark on the same computer that I used to login. I then imported the pcap into Cain and basically gave it the password and pressed go. It ran through the iterations and came back with the password.

            I'll look into what else is going on to see how much trouble we're really in for.

            Comment

            Previous template Next
            Working...
            X