The relevance of SMBRelay attacks in modern Windows networks
For the first time I encountered smbrelay in the mid-2000s and the acquaintance was unsuccessful. At that time there were only a few exploits that even worked at that time aby how. And this is despite the fact that the very vulnerability of the protocol was revealed in the late 1990s. Not getting the desired result, all interest is completely gone.
But just a couple of weeks ago, there was a desire to investigate the issue again. It turned out that, by and large, the situation has not changed, but new exploits have emerged, the performance of which I wanted to check.
For those who are not very familiar with the SMB vulnerability we recall its essence. By causing the victim to enter the attacker's smb resource, the attacker can redirect the authentication data to the victim himself, thereby gaining access to the disk and executing any code through the interprocess communication service.
')
It is worth noting that such a serious vulnerability in its original form existed until the end of 2008, exactly until a sanctioned-working exploit appeared.
The patch forbade accepting an incoming connection with the same challenge that is already used during an outgoing connection. Those. Relaying the victim to herself was covered up.
But no patch will prevent us from redirecting authorization to a third resource to which the victim has access.
Tarasco Security smbrelay3 has a set of advanced methods for exploiting this vulnerability. In addition to the classic smb-> smb scheme, ways to redirect authentication from services such as HTTP \ IMAP \ POP3 \ SMTP have been added. All of them support NTLM authentication.
On unpatched Windows XP SP3, it was possible to launch cmd.exe without problems even when redirecting the victim to itself (fix MS08-068 was released later).
The redirection of authorization from XP to Windows 2003 was also successful (if there is appropriate access).
But Windows XP is already part of the past, and I was interested in the operation of smbrelay in modern networks, where Windows 7 is used as the client OS.
Here there appeared many questions and a number of nuances, for the sake of covering which this text was written.
The first problem was that in Windows 7, by default, “LAN Manager authentication level” is set to “Send NTLMv2 response only”. And so it turned out that all existing smbrelay implementations (including smbrelay3 and the corresponding module in Metasploit) do not support NTLMv2 authorization relaying. Obviously, earlier this was not necessary, and later no one bothered to add this support.
By making the necessary changes to the smbrelay3 source code, NTLMv2 was successfully reinvented from Windows 7 to Windows XP. But got the next nuance.
In Windows 7, with its updated IE, the meaning of the concept Intranet has changed. Previously, everything was simple, if in a workgroup a network name like 'some_host' resolves to the IP address of the local segment, it means that it is located on the Intranet and you can automatically authorize it using data from an active session. In the properties of IE Seven, there is a default option, 'Automaticaly detect intranet network', and so, in this intranet detection mode, the familiar workgroup no longer belongs to the internal trusted network and is an untrusted zone, and therefore no automatic authorization will happen. But being in the domain, Windows 7 will gladly provide all the necessary data to any computer from the local network.
Thus, with the Intranet discovery option enabled, Win7 in a workgroup is not subject to smbrelay attack, but will become vulnerable in the domain.
Many can imagine that in a domain, due to redirection of data to a third host, it is possible, for example, to capture a domain controller after an attack on an administrator’s computer.
Alas, at least with the default controller configuration, this is not possible. There is a very simple means of blocking smbrelay attacks - SMB Signing, and the domain controller requires clients to use packet signatures. In this case, the redirected session to the controller itself will be rejected, since it is impossible to forge a signature without knowing the password.
In some cases, SMB Signing is disabled by the administrator intentionally, since Forced encryption requires more resources and reduces bandwidth access to shared files.
A prerequisite for the successful use of an attack is the availability of access to administrative resources IPC $ and ADMIN $, without them it will not be possible to remotely execute the code, although the possibility of “rummaging” on other resources (C $ ...) remains.
By and large, this review can be completed; there is no point in looking at each step in detail, because Much has already been described years ago. I just updated the information on modern OS family Windows.
The result of the study was the implementation of a stable module for the smbrelay attack as part of Intercepter-NG. To avoid the difficulties associated with the Server service running on port 445, the attack is carried out in the HTTP-> SMB direction. Those. with an incoming connection, NTLM authorization will be offered to the browser, which will later be redirected either to the same host or to some other one.
The main problem in carrying out the attack has always been the task of luring the victim to our resource, basically it was done either by sending an e-mail, or posting a file with a malicious link to a shared resource, less often by using ettercap and changing web traffic.
In our case, the last option is chosen, as the fastest and most effective. The target is selected, then Arp Poison is conducted and a link is injected into the web traffic, when requested, a smbrelay attack will be conducted. The whole process is automated and no intervention is required. For a stable and quiet injection, a replacement method is chosen, not an add-on, so the “unnecessary” sections of HTML code, such as <! DOCTYPE ...>, <meta name = "keywords" ...> and <meta name = " description »...>. Most sites contain at least one of them, so do not have to wait long.
Additionally, we note that automatic authentication via NTLM only supports IE \ Chrome, so the attack on FireFox \ Opera will not work.
A video demo can be viewed below.
Total. SMBRelay is a pressing issue even now and in the hands of an attacker can be a serious tool for penetrating a local network.
To prevent attacks on client computers, you should enable SMB Signing through the appropriate registry keys “EnableSecuritySignature, RequireSecuritySignature”.
The information is presented for informational purposes only. The author is not responsible for any possible harm caused by the materials of this article.
Update: I forgot to clarify, if when trying to redirect authorization one of the conditions was not met (there is no administrative resource or the account’s access to the resource directly), then in any case we still have the NTLMSSP hash and chelendzh of the attacked user, which can be bruteformed.
But just a couple of weeks ago, there was a desire to investigate the issue again. It turned out that, by and large, the situation has not changed, but new exploits have emerged, the performance of which I wanted to check.
For those who are not very familiar with the SMB vulnerability we recall its essence. By causing the victim to enter the attacker's smb resource, the attacker can redirect the authentication data to the victim himself, thereby gaining access to the disk and executing any code through the interprocess communication service.
')
It is worth noting that such a serious vulnerability in its original form existed until the end of 2008, exactly until a sanctioned-working exploit appeared.
The patch forbade accepting an incoming connection with the same challenge that is already used during an outgoing connection. Those. Relaying the victim to herself was covered up.
But no patch will prevent us from redirecting authorization to a third resource to which the victim has access.
Tarasco Security smbrelay3 has a set of advanced methods for exploiting this vulnerability. In addition to the classic smb-> smb scheme, ways to redirect authentication from services such as HTTP \ IMAP \ POP3 \ SMTP have been added. All of them support NTLM authentication.
On unpatched Windows XP SP3, it was possible to launch cmd.exe without problems even when redirecting the victim to itself (fix MS08-068 was released later).
The redirection of authorization from XP to Windows 2003 was also successful (if there is appropriate access).
But Windows XP is already part of the past, and I was interested in the operation of smbrelay in modern networks, where Windows 7 is used as the client OS.
Here there appeared many questions and a number of nuances, for the sake of covering which this text was written.
The first problem was that in Windows 7, by default, “LAN Manager authentication level” is set to “Send NTLMv2 response only”. And so it turned out that all existing smbrelay implementations (including smbrelay3 and the corresponding module in Metasploit) do not support NTLMv2 authorization relaying. Obviously, earlier this was not necessary, and later no one bothered to add this support.
By making the necessary changes to the smbrelay3 source code, NTLMv2 was successfully reinvented from Windows 7 to Windows XP. But got the next nuance.
In Windows 7, with its updated IE, the meaning of the concept Intranet has changed. Previously, everything was simple, if in a workgroup a network name like 'some_host' resolves to the IP address of the local segment, it means that it is located on the Intranet and you can automatically authorize it using data from an active session. In the properties of IE Seven, there is a default option, 'Automaticaly detect intranet network', and so, in this intranet detection mode, the familiar workgroup no longer belongs to the internal trusted network and is an untrusted zone, and therefore no automatic authorization will happen. But being in the domain, Windows 7 will gladly provide all the necessary data to any computer from the local network.
Thus, with the Intranet discovery option enabled, Win7 in a workgroup is not subject to smbrelay attack, but will become vulnerable in the domain.
Many can imagine that in a domain, due to redirection of data to a third host, it is possible, for example, to capture a domain controller after an attack on an administrator’s computer.
Alas, at least with the default controller configuration, this is not possible. There is a very simple means of blocking smbrelay attacks - SMB Signing, and the domain controller requires clients to use packet signatures. In this case, the redirected session to the controller itself will be rejected, since it is impossible to forge a signature without knowing the password.
In some cases, SMB Signing is disabled by the administrator intentionally, since Forced encryption requires more resources and reduces bandwidth access to shared files.
A prerequisite for the successful use of an attack is the availability of access to administrative resources IPC $ and ADMIN $, without them it will not be possible to remotely execute the code, although the possibility of “rummaging” on other resources (C $ ...) remains.
By and large, this review can be completed; there is no point in looking at each step in detail, because Much has already been described years ago. I just updated the information on modern OS family Windows.
The result of the study was the implementation of a stable module for the smbrelay attack as part of Intercepter-NG. To avoid the difficulties associated with the Server service running on port 445, the attack is carried out in the HTTP-> SMB direction. Those. with an incoming connection, NTLM authorization will be offered to the browser, which will later be redirected either to the same host or to some other one.
The main problem in carrying out the attack has always been the task of luring the victim to our resource, basically it was done either by sending an e-mail, or posting a file with a malicious link to a shared resource, less often by using ettercap and changing web traffic.
In our case, the last option is chosen, as the fastest and most effective. The target is selected, then Arp Poison is conducted and a link is injected into the web traffic, when requested, a smbrelay attack will be conducted. The whole process is automated and no intervention is required. For a stable and quiet injection, a replacement method is chosen, not an add-on, so the “unnecessary” sections of HTML code, such as <! DOCTYPE ...>, <meta name = "keywords" ...> and <meta name = " description »...>. Most sites contain at least one of them, so do not have to wait long.
Additionally, we note that automatic authentication via NTLM only supports IE \ Chrome, so the attack on FireFox \ Opera will not work.
A video demo can be viewed below.
Total. SMBRelay is a pressing issue even now and in the hands of an attacker can be a serious tool for penetrating a local network.
To prevent attacks on client computers, you should enable SMB Signing through the appropriate registry keys “EnableSecuritySignature, RequireSecuritySignature”.
The information is presented for informational purposes only. The author is not responsible for any possible harm caused by the materials of this article.
Update: I forgot to clarify, if when trying to redirect authorization one of the conditions was not met (there is no administrative resource or the account’s access to the resource directly), then in any case we still have the NTLMSSP hash and chelendzh of the attacked user, which can be bruteformed.
Source: https://habr.com/ru/post/142219/
All Articles