Security researchers have unveiled three methods of exploitation to access NTLM v2 hashed passwords. Among these vulnerabilities, one stands out as particularly critical: CVE-2023-35636, an Outlook exploit that exposes sensitive information.
CVE-2023-35636 is a security vulnerability found in Microsoft Outlook, specifically in the calendar sharing function. This exploit enables attackers to intercept NTLM v2 hashes, which are used for authentication in Microsoft Windows systems. NTLM v2, although more secure than its predecessor, is still susceptible to offline brute-force and authentication relay attacks.
Attackers can use NTLM v2 hashes in two primary attack scenarios:
1. Offline Brute-Force Attack: In this type of attack, attackers have access to the NTLM v2 hash and attempt to crack the user’s password by trying various combinations until a match is found. This attack is virtually undetectable as it leaves no network traces.
2. Authentication Relay Attack: In an authentication relay attack, attackers intercept NTLM v2 authentication requests and relay them to a different server, potentially gaining unauthorized access to the victim’s intended server.
PoC Workability
This can be exploited by adding specific headers to an email, directing Outlook to share content and contact a designated machine. This manipulation creates an opportunity for attackers to intercept NTLM v2 hashes during the authentication process. The exploit requires two headers: “Content-Class” and “x-sharing-config-url,” which point to the attacker’s machine.
Other Attack Vectors: WPA and Windows File Explorer
Attackers can leverage Windows Performance Analyzer (WPA) and Windows File Explorer to gain access to NTLM v2 hashes. By exploiting URI handlers and specific parameters, attackers can trick these applications into revealing sensitive information.
Microsoft has patched this vulnerability during December 2023 patch Tuesday , categorizing it as important. However, the vulnerabilities associated with WPA and Windows File Explorer have been deemed of medium severity by Microsoft.
To safeguard your systems and data from NTLM v2 attacks, consider implementing the following security measures:
1. SMB Signing: Enable SMB signing to protect SMB traffic from tampering and man-in-the-middle attacks. This feature digitally signs all SMB messages, allowing recipients to detect and reject any tampered messages.
2. Block Outgoing NTLM v2: Starting with Windows 11 (build 25951), you can block outgoing NTLM authentication, adding an extra layer of security.
3. Force Kerberos Authentication: Whenever possible, enforce Kerberos authentication and block NTLM v2 at both the network and application levels. This helps prevent the use of NTLM v2 where it is not required.
This research was documented by the researchers from Varonics
