NTLM Authentication Disclosure Vulnerability Report

Vulnerability Name: NTLM Authentication Disclosure of Internal System Information

Severity: High

Description:
This vulnerability occurs when a web application exposes internal system details, such as server names, domain names, and other sensitive information, through NTLM (NT LAN Manager) authentication headers in HTTP responses. Specifically, when a 401 Unauthorized status is returned, the WWW-Authenticate: NTLM header often contains challenge tokens that may leak valuable information if not handled properly. Attackers can exploit this information for reconnaissance and further attacks.

Risk: NTLM authentication tokens, when misconfigured, may disclose sensitive internal network details.Exploitable Information:Internal domain names.Hostnames or IP addresses of internal systems.Misconfiguration of authentication mechanisms.

Common Impact:

Reconnaissance: Attackers gain insight into the internal structure of the organization (e.g., domain names, hostnames).Privilege Escalation: Incorrect handling of NTLM tokens can allow attackers to replay or bypass authentication, gaining unauthorized access.Network Mapping: Leaking of internal details allows attackers to map the internal network architecture.

1. Scenario Setup

Imagine you are testing an internal web application (hosted at http://internal-app.example.com). The application is configured to use NTLM authentication for restricted resources. You suspect that NTLM tokens or headers might leak sensitive information.

2. Testing for NTLM Authentication Disclosure

Step 1: Make a Request to the Protected Resource

Try accessing a protected resource (e.g., /protected/resource) directly:

GET /protected/resource HTTP/1.1
Host: internal-app.example.com
User-Agent: Mozilla/5.0Since this is a restricted resource, you should get a 401 Unauthorized response, which might include the WWW-Authenticate: NTLM header.

Step 2: Analyze the Response for NTLM Header

The response should look like:

HTTP/1.1 401 Unauthorized
Content-Type: text/html
WWW-Authenticate: NTLMThis header indicates that the server is using NTLM authentication. In many cases, the WWW-Authenticate: NTLM header will include additional information, such as:The server’s internal domain name.The hostname or IP of the internal server.

Step 3: Send a Follow-Up Request with an NTLM Token

To test further, send a request with a dummy NTLM token or previously captured NTLM token using tools like curl:

curl -X GET http://internal-app.example.com/protected/resource \
-H "Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAAA="

If the server responds with another 401 Unauthorized status but includes a more detailed NTLM token in the WWW-Authenticate header, such as:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: NTLM TlRMTVNTUAACAAAAFAAUABAAAAABgBCTEd0…….This token might contain internal network details such as:Domain names (e.g., Domain: INTERNALDOMAIN).Hostnames (e.g., Host: server01.internal.local).Server versions (e.g., Server Version: 10.0).

Send empty NTLM tokens

Send a malformed or truncated NTLM token

Step 4: Check for Information Leaks

Look for any identifiable information, such as:Internal domain names or IP addresses.Specific hostnames or service versions that are exposed.Any hints about the internal network topology.

3. Exploiting the Vulnerability (Replay Attack)

If an attacker can capture the NTLM token, they may attempt to replay it using tools like Responder or Impacket to perform an NTLM relay attack, potentially gaining unauthorized access to other systems within the network.Restrict NTLM exposure: Ensure that NTLM authentication is not used over untrusted networks. Use more secure alternatives like Kerberos or OAuth.Remove sensitive information from NTLM tokens: Misconfigurations in NTLM token generation should be fixed to avoid exposing domain names, internal hostnames, or system details.Use HTTPS: Ensure that sensitive information, such as authentication tokens, is only transmitted over HTTPS to avoid interception.Monitor NTLM Traffic: Regularly monitor HTTP headers for improper NTLM token disclosures.

This vulnerability, when left unaddressed, can significantly impact the confidentiality and integrity of an organization’s internal network. By exposing sensitive information through NTLM tokens in 401 Unauthorized responses, attackers can gather valuable reconnaissance data to facilitate further attacks. Proper configuration and implementation of more secure authentication methods are necessary to mitigate this risk.

Burp Suite: Used for capturing and manipulating HTTP requests and responses.Curl: For testing HTTP requests and sending NTLM tokens manually.Nmap: For discovering open ports and potentially vulnerable services using the http-ntlm-info script.Impacket: For capturing and relaying NTLM tokens.