ID02 | NTLMv1
NTLMv1 is an obsolete and highly vulnerable version of the NTLM authentication protocol.
References:
TrustedSec (Practical Attacks against NTLMv1)
praetorian (NTLMv1 vs NTLMv2: Digging into an NTLM Downgrade attack)
Table of availables actions, states, and targets
Vulnerability ID |
Trigger available |
Default state |
Default target |
|---|---|---|---|
02 | NTLMv1 |
No |
Absent |
srv01 |
Launch
Enable
# Current directory: ansible
ansible-playbook -i inventory.yml playbooks/vulnerabilities/02.yml --extra-vars "action=enable"
Disable
# Current directory: ansible
ansible-playbook -i inventory.yml playbooks/vulnerabilities/02.yml --extra-vars "action=disable"
Implementation
Enable
NTLMv1 can be enabled locally or by GPO.
For now, the local modification is used by modifying the registry.
The lmcompatibilitylevel is set to 2, meaning NTLMv1 responses only are sent for clients.
Tip
If the value is 2 or below, NTLMv1 is used.
Reference:
Disable
By setting the lmcompatibilitylevel to 3, NTLMv2 responses only are sent for clients.
Reference:
Customization
You can choose another target than the default one.
host_name = dc01 | srv01 | srv02
action = enable | disable
Example with srv01:
# Current directory: ansible
ansible-playbook -i inventory.yml playbooks/vulnerabilities/02.yml --extra-vars "action=enable host_name=srv01"