NTLM
Drop the MIC – CVE-2019-1040
As announced in our recent security advisory, Preempt researchers discovered how to bypass the MIC (Message Integrity Code) protection on NTLM authentication and modify any field in the NTLM message flow, including ...
Your Session Key is My Session Key: How to Retrieve the Session Key for Any Authentication
As announced in our recent security advisory, Preempt researchers discovered a critical vulnerability which allows attackers to retrieve the session key for any NTLM authentication and establish a signed session against any ...
Security Advisory: Critical Vulnerabilities in NTLM Allow Remote Code Execution and Cloud Resources Compromise
On June 2019 Patch Tuesday, Microsoft released patches for CVE-2019-1040 and CVE-2019-1019, two vulnerabilities discovered by Preempt researchers. The critical vulnerabilities consist of three logical flaws in NTLM (Microsoft’s proprietary authentication protocol) ...
What State-Sponsored Attacks Can Teach Us About Conditional Access
Nir Yosha | | Attack Tools, Conditional Access, Credential Compromise, Hacking, lateral movement, NTLM, Privileged Accounts, Ransomware
People often think that state-sponsored attacks from groups like Lazarus (North Korea), Fancy Bear (Russia) or menuPass (China) only target public federal organizations in Western nations like the U.S. This is simply ...
New Microsoft Exchange Vulnerability Exposes Domain Admin Privileges: Here’s What to Do
Last week, the CERT Coordination Center (CERT/CC) issued a vulnerability note warning versions of Microsoft Exchange 2013 and newer are vulnerable to an NTLM relay attack that allows for attackers to gain ...
The Security Risks of NTLM: Proceed with Caution
NTLM (NT LAN Manager) is Microsoft's old authentication protocol that was replaced with Kerberos starting Windows 2000. It was designed and implemented by Microsoft engineers for the purpose of authenticating accounts between ...
Ever Run a Relay? Why SMB Relays Should Be On Your Mind
Time is never on your side when you’re onsite with a client and trying to get the first good foothold, with admin privileges, can seem impossible. However, some things seem to work ...
Stealing Password Hashes with Java and IE
Consider for a moment the state of client-side bugs 5 or 6 years ago. Attacks such as this, a multi-stage miscellany of IE and Mediaplayer bugs that resulted in the "silent delivery ...