0

We are using samba configuration on our RedHat(RHEL7.9) systems, where SMB authentication is based on a NTLM password hash which basically a clear-text credential for a challenge-response authentication which getting stored in a separate attribute, sambaNTPassword in the LDAP(Oracle unified Directory) directory database.

So, Our security team carried out some pen-testing and found the MD4 which is used by our samba that can be intercepted as it carries weaker hash.

In addition to authentication, ensuring data integrity and encryption in transit are important parts of SMB security, which is again relying on MD4 hash.

Below is the sample of my samba configuration:

 cat /etc/samba/smb.conf

[global]
  log file                       = /var/log/samba/%m.log
  log level                      = 2
  max log size                   = 50
  netbios name                   = FDI0816
  server string                  = FDI0816.myorg.com
  workgroup                      = FDI

; ldap configuration
  invalid users                  = root +wheel
  encrypt passwords              = Yes
  guest account                  = nobody
  ldap admin dn                  = cn=sambaAdmin,ou=users,o=services
  ldap group suffix              = ou=Group
  ldap passwd sync               = only
  ldap ssl                       = no
  ldap suffix                    = ou=FDI,o=myorg
  ldap timeout                   = 4
  ldap user suffix               = ou=People
  map to guest                   = Bad User
  security                       = user
  passdb backend = ldapsam:"ldaps://ldap.FDI.myorg.com ldaps://ldap.rnd.myorg.com"

; client connection settings
  deadtime                       = 15
  dns proxy                      = No
  lm announce                    = No
  server min protocol            = SMB2

; shares default settings
  create mask                    = 0750
  directory mask                 = 2750
  posix locking                  = No
  strict allocate                = Yes
  unix extensions                = No
  wide links                     = Yes

; printers are disabled
  disable spoolss                = Yes
  load printers                  = No
  printcap name                  = /dev/null
  printing                       = bsd
  show add printer wizard        = No

[homes]
  browseable                     = No
  comment                        = Your Home
  create mode                    = 0640
  csc policy                     = disable
  directory mask                 = 0750
  public                         = No
  writeable                      = Yes

[proj]
  browseable                     = Yes
  comment                        = Project directories
  csc policy                     = disable
  path                           = /proj
  public                         = No
  writeable                      = Yes

[home]
  browseable                     = Yes
  comment                        = Project directories
  csc policy                     = disable
  path                           = /home
  public                         = No
  writeable                      = Yes

LDAP side user details with attribute:

Example:

Attribute Description       value
sambaNTPassword             0735509A0ED9A577BD7D8GG7BC1T
uidNumber                   32222
userPassword                {RBKBD4-HMAC-SHA512)...

Other details:

Samba Version: 4.10
Client side smb version: 2
Samba Server : RHEL7.9

If anyone came across this and have a solution, then I would like to seek the guidance or advice to mitigate the issue.

Post Update receiving Security assessment Document:

After reading and going through with pen-testing result, I came to know pen-tester was provided with the internal user-account for a user which is based on LDAP and discovered weaknesses for LDAP(Oracle Unified Directory) where they found "LDAP Anonymous Null Bind" hence they found it possible to retrieve critical information via LDAP service without having to supply any authentication credentials, since it also supports search requests with the NULL and empty, base objects thus an unauthenticated attacker may exploit and get the information even any prior knowledge of LDAP.

So, gained access to the LDAP Server as it was allowing the NUll/empty base connections to LDAP Server and dumped all the LDAP DATA where easily got all the Password information for userPassword & sambaNTPassword.

In order to perform the "pass-the-hash" attack, the tool "Mimikatz" and the browser "Internet Explorer" were used.

However, interesting here to highlight, to get access to the Organization they required VPN access from outside, thus they used meterpreter tool to bypass the same with the reverse https connection paylod.

Karn Kumar
  • 105
  • 4

1 Answers1

2

NT password hashes use MD4 and there's nothing you can do about that.

But you have already mitigated the issue of network interception by using ldaps, which is LDAP secured with TLS. Unless something is very wrong with your TLS configuration, these hashes cannot be intercepted from the network. I would be most interested to hear the details of how your security team broke TLS.

The only other ways to get at these password hashes is with direct local access to the LDAP servers, or if there is an access control failure that would allow someone to query them. You didn't mention anything about these, though.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • thank you so much for the explanation, i'm waiting for the detailed report from security team on this but one thing i know they ran pen-testing from the company network only not from the outside, i will Edit my post with the details once i get the details. – Karn Kumar Aug 05 '21 at 17:23
  • @ Michale , i have updated some more information on the Post. – Karn Kumar Aug 19 '21 at 10:50
  • @KarnKumar: I'm pretty sure there's more to this. It isn't uncommon to allow anonymous bind to rootDSE to obtain basic infrastructure information. – Greg Askew Aug 19 '21 at 11:23
  • @GregAskew, You are right there may more, they accessed the servers while getting access to the LDAP server first via anonymous bind and then got the user Information from the Database where they found `sambaNTPassword` and `userPassword` which they easily cracked via `hashdump` to decrypt the information as they say, so they got access to other systems, and also they found loose sudo rules which they easily can use to elevate root access. – Karn Kumar Aug 19 '21 at 12:09