SMB Hijacking. Kerberos is not a hindrance
About SMBRelay (or to be exact NTLM-Relay) quite a lot has been written and said. Absolutely no desire
recall the details of this attack. I recall only that the essence of the attack comes down to manipulations with the user's authentication data, which can then be redirected to another resource.
Such redirection allows you to authenticate and access the third resource, which usually translates into downloading a file and then launching it.
The process of development of relaying has long been in place. And rightly so, what would seem to be improved there, everything is clear and understandable.
Just over a year ago, Intercepter had the opportunity to redirect NTLMv2. After 3 months, a similar functionality appeared in Metasploit, and then separately taken enthusiasts began to cover up their work. Here it is, the logical limit. SMBRelay itself is almost never used, it is much more convenient in this regard to implement NTLM-Relay via other protocols, in particular HTTP. In addition, the life of SMBRelay in domain networks is complicated by the “invincible” Kerberos, often called the SMBRelay cure. With my research, I would like to destroy this myth and present a completely new approach to conducting an attack on the SMB protocol.
It is worth noting that this will not be quite SMBRelay, let's call this technique SMB Hijacking.
Let's start from afar ...
')
In the new version of the interceptor appeared NTLM-Response grabber, built-in WPAD MiTM.
For ease of use, it was decided to make it possible to call John the Ripper with an intercepted hash in order to quickly check whether an empty or easy password is set. After that, all the hashes that are intercepted by the sniffer and which can be bruteforced via JTR were brought into the appropriate format.
In the archive of the Wireshark samples, a log was found with Kerberos authorization, from which Cain was able to pull out the hash and use a brute force to find the password.
Bruteforce is possible due to the fact that, in an AS-REQ request, a timestamp encrypted with a user password, part of which is known in advance, is transmitted to the authentication server. The Kerberos authentication handler was added and tested on a live domain controller (Windows 2008 R2). Surprisingly, the hash is not intercepted. The fact is that in Windows 2008, new encryption algorithms have been added, and instead of the previously used rc4-hmac, aes256-cts-hmac-sha1-96 is now used by default. This hash is pulled out of the package in the same way as rc4-hmac, only another problem has appeared.
At the moment there are no pereborchikov able to recover the password from the timestamp'a encrypted aes'om. In john's mailing list, one comrade wrote a patch for JTR, but judging by the reviews, he is still damp and the most important process of iteration is hundreds of times slower than brute force rc4.
Thus, the option of a downgrade encryption algorithm appeared in the interceptor, from aes to rc4. Unfortunately, since Vista des, encryption has been disabled and rc4 is the minimum possible, so there was no sense in downgrading even lower.
Downgrade is a simple replacement of possible methods in the outgoing package of the victim.
It was here that an interest in kerberos arose. The study of the material showed that there is a theoretical possibility of replaying attacks of the Kerberos tickets, but no real examples and implementations were found.
While thinking and analyzing the traffic, a completely strange question arose: why do we need to re (p) lay something at all ?! Why not!
What is an SMB session?
1. Host_A connects to Host_B
2. Session protocol is selected.
3. Select the authorization method
4. A set of commands ...
WHY DO WE RELEASE THE AUTHORIZATION OF THE VICTIM IF SHE IS PERFECTLY AUTHORIZED AT THE RIGHT RESOURCE?
We just need to get up in the middle and proxy the connection, wait for Host_A to log in to Host_B, and then take control of the session into our own hands!
We are already logged in and can embed our code in the SMB session. We are not at all interested in how the client is logged in, be it NTLM or Kerberos!
The session itself is not encrypted in any way, and in 99% of cases SMB Signing on ordinary clients is not used.
In addition to the greater features, this technique is much more elegant than SMBRelay, we are no longer required to implement our own tricky SMB authorization process.
It is enough to implement the minimum set of commands that allow you to download the file and execute its launch.
All this functionality appeared in the new version of Intercepter-NG and was tested under real conditions with the latest versions of Windows 2008 and Windows 7/8.
What are the difficulties and features in the implementation of this attack.
Starting with Vista, the new SMB2 protocol was used. The main difference from the old version is a simplified set of commands and an increase in performance.
For us it is important to follow two rules. First, each SMB session has its own Session ID, and secondly, in the SMB2 header there is a Command Sequence Number field,
those. command sequence number. To implement commands, you must specify a session identifier and increment the command counter.
Since in Intercepter the existing SMBRelay is based on someone else's code using the old SMB format, it was decided not to sculpt crutches and implement the basic SMB2 command set from scratch.
The logic of implementation in the session is as follows:
1. Stand in the middle between the attacked and the third host
2. Wait for the SessionSetup Response command with a positive response.
3. Get Session ID and current team number
4. Copy file to admin ball (admin $)
5. Create a service that will run our file.
6. Start the service
7. cmd.exe
The fifth and sixth points are possible only because Microsoft allows you to send RPC requests over SMB.
That's all. Technique works great in the average domain. Often there is some software that automatically performs some operations on client computers via SMB under an account that has administrative access. Or directly the administrator can be the target of the attack.
Kerberos is not an obstacle for us. By the way, Kerberos in SMB is used only if the computer is accessed by name, and if you access the balloon via IP, only NTLM is used. When attacking domain clients, an attacker does not necessarily have to be a member of the domain himself.
You can also use SMB Hijacking in a regular workgroup, subject to the following requirements: availability of administrative access to the person being attacked and available administrative resources IPC $ \ ADMIN $.
In addition to the passive interception of SMB sessions, Intercepter also injects a link to the SMB resource into the attacker's web traffic, which significantly speeds up the process of gaining access.
In the case of a successful file download or in the absence of access, the connection must be terminated the session for the attacker is already broken (command counter was hit). In order not to loop the interception process.
and still allowing access to the requested resource, Intercepter marks the victim and no longer interferes with the stream until the attack is restarted. This removes any suspicion and eliminates disruption.
Demo video on the SMB Hijacking below.
In addition to Kerberos Downgrade and SMB Hijacking, the following changes occurred in the new version of Intercepter.
Integrated proxy server WPAD MiTM'a integrated NTLM-Response grabber. The resulting hashes can be searched.
Now, for a number of intercepted hashes, launching a brute force is available directly from the program, for this you need to first download the JTR (with the jumbo patch) and put it in the folder with Intercepter.
A new method of OS fingerprinting has been added to Smart Scan, which gives a more accurate result.
Appeared SYN port scanner, whitelist poppy addresses for DHCP MiTM, support for IDN (national domain names) and many more improvements and fixes.
SMB Hijacking is used by default, if you need to run the old SMBRelay, then you need to switch the corresponding checkbox in expert mode.
Ask questions on the forum or by mail.
The information is presented for informational purposes only. The author is not responsible for any possible harm caused by the materials of this article.
recall the details of this attack. I recall only that the essence of the attack comes down to manipulations with the user's authentication data, which can then be redirected to another resource.
Such redirection allows you to authenticate and access the third resource, which usually translates into downloading a file and then launching it.
The process of development of relaying has long been in place. And rightly so, what would seem to be improved there, everything is clear and understandable.
Just over a year ago, Intercepter had the opportunity to redirect NTLMv2. After 3 months, a similar functionality appeared in Metasploit, and then separately taken enthusiasts began to cover up their work. Here it is, the logical limit. SMBRelay itself is almost never used, it is much more convenient in this regard to implement NTLM-Relay via other protocols, in particular HTTP. In addition, the life of SMBRelay in domain networks is complicated by the “invincible” Kerberos, often called the SMBRelay cure. With my research, I would like to destroy this myth and present a completely new approach to conducting an attack on the SMB protocol.
It is worth noting that this will not be quite SMBRelay, let's call this technique SMB Hijacking.
Let's start from afar ...
')
In the new version of the interceptor appeared NTLM-Response grabber, built-in WPAD MiTM.
For ease of use, it was decided to make it possible to call John the Ripper with an intercepted hash in order to quickly check whether an empty or easy password is set. After that, all the hashes that are intercepted by the sniffer and which can be bruteforced via JTR were brought into the appropriate format.
In the archive of the Wireshark samples, a log was found with Kerberos authorization, from which Cain was able to pull out the hash and use a brute force to find the password.
Bruteforce is possible due to the fact that, in an AS-REQ request, a timestamp encrypted with a user password, part of which is known in advance, is transmitted to the authentication server. The Kerberos authentication handler was added and tested on a live domain controller (Windows 2008 R2). Surprisingly, the hash is not intercepted. The fact is that in Windows 2008, new encryption algorithms have been added, and instead of the previously used rc4-hmac, aes256-cts-hmac-sha1-96 is now used by default. This hash is pulled out of the package in the same way as rc4-hmac, only another problem has appeared.
At the moment there are no pereborchikov able to recover the password from the timestamp'a encrypted aes'om. In john's mailing list, one comrade wrote a patch for JTR, but judging by the reviews, he is still damp and the most important process of iteration is hundreds of times slower than brute force rc4.
Thus, the option of a downgrade encryption algorithm appeared in the interceptor, from aes to rc4. Unfortunately, since Vista des, encryption has been disabled and rc4 is the minimum possible, so there was no sense in downgrading even lower.
Downgrade is a simple replacement of possible methods in the outgoing package of the victim.
It was here that an interest in kerberos arose. The study of the material showed that there is a theoretical possibility of replaying attacks of the Kerberos tickets, but no real examples and implementations were found.
While thinking and analyzing the traffic, a completely strange question arose: why do we need to re (p) lay something at all ?! Why not!
What is an SMB session?
1. Host_A connects to Host_B
2. Session protocol is selected.
3. Select the authorization method
4. A set of commands ...
WHY DO WE RELEASE THE AUTHORIZATION OF THE VICTIM IF SHE IS PERFECTLY AUTHORIZED AT THE RIGHT RESOURCE?
We just need to get up in the middle and proxy the connection, wait for Host_A to log in to Host_B, and then take control of the session into our own hands!
We are already logged in and can embed our code in the SMB session. We are not at all interested in how the client is logged in, be it NTLM or Kerberos!
The session itself is not encrypted in any way, and in 99% of cases SMB Signing on ordinary clients is not used.
In addition to the greater features, this technique is much more elegant than SMBRelay, we are no longer required to implement our own tricky SMB authorization process.
It is enough to implement the minimum set of commands that allow you to download the file and execute its launch.
All this functionality appeared in the new version of Intercepter-NG and was tested under real conditions with the latest versions of Windows 2008 and Windows 7/8.
What are the difficulties and features in the implementation of this attack.
Starting with Vista, the new SMB2 protocol was used. The main difference from the old version is a simplified set of commands and an increase in performance.
For us it is important to follow two rules. First, each SMB session has its own Session ID, and secondly, in the SMB2 header there is a Command Sequence Number field,
those. command sequence number. To implement commands, you must specify a session identifier and increment the command counter.
Since in Intercepter the existing SMBRelay is based on someone else's code using the old SMB format, it was decided not to sculpt crutches and implement the basic SMB2 command set from scratch.
The logic of implementation in the session is as follows:
1. Stand in the middle between the attacked and the third host
2. Wait for the SessionSetup Response command with a positive response.
3. Get Session ID and current team number
4. Copy file to admin ball (admin $)
5. Create a service that will run our file.
6. Start the service
7. cmd.exe
The fifth and sixth points are possible only because Microsoft allows you to send RPC requests over SMB.
That's all. Technique works great in the average domain. Often there is some software that automatically performs some operations on client computers via SMB under an account that has administrative access. Or directly the administrator can be the target of the attack.
Kerberos is not an obstacle for us. By the way, Kerberos in SMB is used only if the computer is accessed by name, and if you access the balloon via IP, only NTLM is used. When attacking domain clients, an attacker does not necessarily have to be a member of the domain himself.
You can also use SMB Hijacking in a regular workgroup, subject to the following requirements: availability of administrative access to the person being attacked and available administrative resources IPC $ \ ADMIN $.
In addition to the passive interception of SMB sessions, Intercepter also injects a link to the SMB resource into the attacker's web traffic, which significantly speeds up the process of gaining access.
In the case of a successful file download or in the absence of access, the connection must be terminated the session for the attacker is already broken (command counter was hit). In order not to loop the interception process.
and still allowing access to the requested resource, Intercepter marks the victim and no longer interferes with the stream until the attack is restarted. This removes any suspicion and eliminates disruption.
Demo video on the SMB Hijacking below.
In addition to Kerberos Downgrade and SMB Hijacking, the following changes occurred in the new version of Intercepter.
Integrated proxy server WPAD MiTM'a integrated NTLM-Response grabber. The resulting hashes can be searched.
Now, for a number of intercepted hashes, launching a brute force is available directly from the program, for this you need to first download the JTR (with the jumbo patch) and put it in the folder with Intercepter.
A new method of OS fingerprinting has been added to Smart Scan, which gives a more accurate result.
Appeared SYN port scanner, whitelist poppy addresses for DHCP MiTM, support for IDN (national domain names) and many more improvements and fixes.
SMB Hijacking is used by default, if you need to run the old SMBRelay, then you need to switch the corresponding checkbox in expert mode.
Ask questions on the forum or by mail.
The information is presented for informational purposes only. The author is not responsible for any possible harm caused by the materials of this article.
Source: https://habr.com/ru/post/182954/
All Articles