Microsoft SharePoint 2019 - NTLM Authentication

Exploit Author: nu11secur1ty Analysis Author: www.bubbleslearn.ir Category: Remote Language: Python Published Date: 2025-07-02 
# Titles: Microsoft SharePoint 2019 NTLM Authentication
# Author: nu11secur1ty
# Date: 06/27/25
# Vendor: Microsoft
# Software: https://www.microsoft.com/en-us/download/details.aspx?id=57462
# Reference:
https://www.networkdatapedia.com/post/ntlm-autSharePoint 2019 NTLM Authentication hentication-security-risks-and-how-to-avoid-them-gilad-david-maayan

## Description:
Microsoft SharePoint Central Administration improperly exposes
NTLM-authenticated endpoints to low-privileged or even brute-forced domain
accounts. Once authenticated, an attacker can access the `_api/web`
endpoint, disclosing rich metadata about the SharePoint site, including
user group relationships, workflow configurations, and file system
structures. The vulnerability enables username and password enumeration,
internal structure mapping, and API abuse.

Key issues include:
- NTLM over HTTP (unencrypted)
- No fine-grained access control on `_api/web`
- NTLM error codes act as oracles for credential validation

STATUS: HIGH-CRITICAL Vulnerability


[+]Exploit:
```
    # NTLM Authentication + SharePoint Enumeration Tool Usage:
    python ntml.py -u http://10.10.0.15:10626 -U 'CORP\spfarm' -P 'p@ssw0rd'
-v

    # Success output (highlight):
    [+] NTLM Authentication succeeded on http://10.10.0.15:10626/_api/web

    # Result: Full SharePoint metadata dump from the Central Admin instance

```

# Reproduce:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47166/PoC)


# Time spent:
72:15:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>


Microsoft SharePoint 2019 — NTLM Authentication: Risk, Detection, and Mitigation

This article examines a high-severity class of issues observed in some Microsoft SharePoint 2019 Central Administration deployments where NTLM-based authentication and permissive API exposure can be abused by low-privileged domain accounts. It describes the technical background, likely impact, safe detection approaches, and robust mitigation strategies for defenders and administrators.

Executive summary

  • NTLM used without transport encryption (HTTP) or in environments with permissive access controls can allow credential validation, username/password enumeration, and information leakage via SharePoint APIs (for example, the _api/web endpoints).
  • Error responses from NTLM authentication can act as an oracle that leaks whether credentials are valid, making brute-force or credential-validation attacks easier.
  • Mitigation focuses on enforcing TLS, restricting access to Central Administration, hardening authentication (prefer Kerberos and restricting NTLM), auditing NTLM activity, and applying principle of least privilege.

Background: why NTLM exposure matters in SharePoint

NTLM is a legacy authentication protocol still supported for compatibility in many Windows environments. When SharePoint Central Administration or any SharePoint web application accepts NTLM over unencrypted channels or exposes management APIs without fine-grained authorization checks, attackers who can authenticate with low-privilege or compromised accounts may enumerate internal structure and metadata, or use authentication error patterns to test credentials.

Key reasons this becomes problematic:

  • NTLM authentication responses (success vs. certain failure modes) can be used as an oracle to validate credentials.
  • Exposed management endpoints such as REST endpoints can reveal group membership, site structure, workflow and configuration metadata that aid lateral movement and privilege escalation.
  • Transmitting NTLM over HTTP exposes challenge/response exchanges to on-path attackers and makes detection/countermeasures harder.

High-level attack scenarios (conceptual)

  • Username/password enumeration: an attacker iterates credential guesses and infers validity from differing auth error responses.
  • Information disclosure: an authenticated low-privileged account queries SharePoint APIs and obtains site, user and workflow metadata that reveals internal targets.
  • API abuse: automated callers using valid low-privilege credentials harvest configuration or probe for misconfigurations.

Impact

SeverityLikely impactComponents affected
High — Critical Credential enumeration, internal mapping, potential privilege escalation and targeted attacks against SharePoint and AD SharePoint Central Administration, SharePoint web applications using NTLM, IIS bindings, AD-authenticated accounts

Detection and monitoring (defender-focused)

Detecting misuse requires correlating authentication logs, network access to management endpoints, and anomalous API activity. Focus on the following signals:

  • Windows Security events indicating NTLM validation attempts — look for NTLM-related events (for example, Event ID 4776) and failed logon spikes (Event ID 4625).
  • Repeated requests to Central Administration and REST endpoints from the same account or IP, particularly for endpoints that return detailed metadata (e.g., _api routes).
  • Unusual patterns of authentication failures followed by successes for the same account (possible brute-force or credential stuffing).

Example (defensive) PowerShell to review recent NTLM validation events for investigation:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4776; StartTime=(Get-Date).AddDays(-7)} |
  Select-Object TimeCreated, @{Name='Account';Expression={$_.Properties[1].Value}}, Message

Explanation: This command queries the Windows Security log for recent Event ID 4776 (NTLM credential validation), selecting timestamp, the account name field, and the full message. Use in a secure management/forensics environment to identify unusual NTLM activity.

To identify whether Central Administration or a SharePoint site is bound only to HTTP (a high-risk configuration), an administrator can inspect IIS bindings:

Import-Module WebAdministration
Get-WebBinding | Where-Object { $_.protocol -in @('http','https') } |
  Select-Object @{Name='Site';Expression={$_.ItemXPath.Split('[')[0]}}, protocol, bindingInformation

Explanation: This lists IIS site bindings and helps spot sites that are bound to http (unencrypted) vs https. Confirm Central Administration uses HTTPS-only and remove or restrict HTTP bindings.

Mitigation and hardening guidance

Below are prioritized mitigations to reduce exposure and block common abuse techniques. These steps emphasize configuration, network controls, authentication policy, and monitoring.

  • Enforce TLS on all SharePoint endpoints. Disable HTTP bindings for Central Administration and other management interfaces. Use valid certificates and configure HSTS where appropriate.
  • Restrict network access to Central Administration. Central Administration is an administrative surface and should not be internet-facing. Place it on a management VLAN or behind jump boxes and firewall rules that only permit trusted admin subnets.
  • Harden authentication: prefer Kerberos and restrict NTLM.
    • Where possible, configure SharePoint to use Kerberos (constrained delegation and correctly configured SPNs) rather than NTLM.
    • Use Group Policy to restrict NTLM: set "Network security: Restrict NTLM: Incoming NTLM traffic" and "Outgoing NTLM traffic" to deny or audit-only as part of staged rollouts.
  • Apply least privilege on SharePoint APIs and objects. Review permissions applied to web applications and REST endpoints; narrow permissions for service accounts and remove broad membership from privileged groups.
  • Audit and throttle authentication attempts. Implement account lockout thresholds, monitor authentication failures, and block IPs with high failure rates. Integrate these detections into your SIEM and alerting pipelines.
  • Harden IIS and SharePoint API surface. Disable anonymous access on administrative endpoints, add additional authorization checks in front of management APIs where feasible, and consider using a WAF to enforce request policies and rate limits.
  • Patch and follow vendor guidance. Stay current with Microsoft updates for SharePoint, Windows, and IIS; apply recommended security updates promptly and review Microsoft documentation on supported authentication configurations.

Recommended configuration checklist

  • Central Administration and management endpoints bound to HTTPS only.
  • Central Admin reachable only from management networks or via jump hosts.
  • NTLM usage audited and restricted via Group Policy; move workloads to Kerberos where feasible.
  • Minimal privilege on SharePoint groups and service accounts; remove unused accounts.
  • SIEM rules for Event IDs 4625/4776 and anomalous REST API access patterns.
  • Rate limiting / WAF rules on _api/* endpoints to reduce automated enumeration attempts.

Incident response guidance

  • If you detect suspicious NTLM-based enumeration or repeated failed/successful validations, isolate affected accounts and collect authentication logs for the relevant timeframe.
  • Reset and rotate credentials for accounts used in suspicious activity, and investigate related lateral movement indicators on other hosts.
  • Review SharePoint permissions and audit access to sensitive lists, libraries and configuration objects that may have been read or modified.
  • Consider temporary network controls (deny lists, host isolation) to stop active attacks while preserving forensic evidence.

Practical examples and best practices (administrator-oriented)

  • Use the SharePoint Management Shell and IIS administration tools to verify bindings, authentication providers, and zone settings for each web application.
  • Test authentication behavior in a lab environment before changing NTLM/Kerberos settings in production — changing authentication mechanisms can disrupt services if SPNs or delegation are misconfigured.
  • Roll out NTLM restrictions in Audit mode first to identify dependent systems, then enforce Deny policies once dependencies are remediated.

Closing recommendations

NTLM-related exposures in SharePoint Central Administration are a serious operational risk but are manageable with layered defenses: reduce network exposure, require TLS, prefer Kerberos, enforce least privilege, monitor NTLM usage, and apply rate limits on management APIs. Prioritize these controls for any SharePoint 2019 environment, and maintain a staged testing and rollout plan when altering authentication policies.

References

  • Microsoft SharePoint Server 2019 — product documentation and security best practices (vendor guidance).
  • Windows Security auditing: Event IDs for logon/authentication (4624/4625/4776).