2024-11-22 –, Ngaio Marsh Theatre
Microsoft is planning to kill off NTLM (New Technology Lan Manager) authentication in Windows 11 and above. Let's speedrun coercing hashes out of a few more things before it fades into obscurity over the next twenty five years or so.
There will be a deep dive on several new bugs we disclosed to Microsoft (including bypassing a fix to an existing CVE), some interesting and useful techniques, combining techniques from multiple bug classes resulting in some unexpected discoveries and some absolutely cooked bugs. We’ll also uncover some defaults that simply shouldn't exist in sensible libraries or applications as well as some glaring gaps in some of the Microsoft NTLM related security controls.
This talk is based on a series of unexpected discoveries that spiraled into a full-blown research project after a coworker innocently suggested I provide an NTLM challenge to what I thought was simple blind SSRF (Server Side Request Forgery). Several round trips to the MSRC (Microsoft Security Response Centre) and bug bounties later, we came up for air with a new appreciation on how to coerce NTLM authentication out of applications with a minimum amount of fuss.
While capturing a Net-NTLMv2 hash on a web application penetration test can be a good finding, being able to coerce hashes on port 80 in an internal network can be absolutely devastating and result in large amounts of lateral movement and privilege escalation within a domain.
This talk will be beneficial to pentesters, security researchers, bug hunters and red teamers as we deep dive into Windows authentication and bypassing trusted zones. There will be ideas for weird and wonderful places for the red team to to try and find NTLM hashes. For the blue team, there will be details on what you need to be looking for and securing in your environment. We will also have a closer look at some of the legacy Win32 APIs to find out why Windows can't do anything without trying to authenticate.
jim:
I'm a former software developer who has somehow ended up hacking things for a living, which is infinitely more fun as most of you know. I'm an active security researcher with several CVEs, including Blackboard, Moodle, Nuget, MS-Office and Kramer products.
tomais:
I'm an enthusiastic hacker who enjoys CTFs and have competed at an international level in the ICC CTF as well as being part of the CursedCTF 2024 winning team. I'm also an active security researcher with a bunch of CVEs and countless other bugs for a bunch of 'solved problems' in security.
Tomais is a Welly hacker that loves making computers do the wrong things. He is a part of the FrenchRoomba and Team Oceania CTF teams, and has been in the security industry since escaping university.