Authenticated Services

New Technology LAN Manager (NTLM) is the suite of security protocols used to authenticate users identities in Active Directory. NTLM can be used for Authentication by using a Challenge-Response Based Scheme called NetNTLM This Authentication Mechanism is heavily used by the Services on a Network.

• Services that use NetNTLM can be exposed to the Internet:
  • Internally-Hosted Exchange (Mail) Servers that expose an Outlook Web App (OWA) Login Portal.
  • Remote Desktop Protocol (RDP) Service of a Server being exposed to the Internet.
  • Exposed VPN Endpoints that were integrated with Active Directory.
  • Web Applications that are Internet-Facing and make use of NetNTLM.

All Authentication material is forwarded to a Domain Controller in the form of a Challenge, and if completed successfully, the Application will Authenticate the User.

The Application is Authenticating on behalf of the User and not Authenticating the User directly on the Application itself. This prevents the Application from storing Active Directory credentials, which should only be stored on a Domain Controller.

Brute-Force

The Brute-Force is possible only if we recovered valid Credentials during our Enumeration.

Most Active Directory Environments have Account Lockout configured. These types of Attacks can be Detected due to the amount of Failed Authentication Attempts.