Bypass NTLM Message Integrity Check – Drop the MIC
Summary
This article discusses a method to bypass the NTLM Message Integrity Check (MIC) in SMB, building upon previous research into exploiting LLMNR and SMB Message Signing. The technique allows for exploitation even when SMB signing is required.
IFF Assessment
This technique allows attackers to bypass security measures like SMB message signing, posing a direct threat to the confidentiality and integrity of network communications.
Severity
The bypass of NTLM Message Integrity Check weakens authentication and integrity checks in SMB, potentially allowing for man-in-the-middle attacks. This impacts network service availability and confidentiality. The score reflects a high impact on integrity and confidentiality.
Defender Context
Defenders should ensure SMB message signing is strictly enforced on their networks to mitigate this vulnerability. Regularly auditing and monitoring network traffic for signs of SMB relay attacks or unauthenticated SMB traffic is crucial.