SMB_RELAY

[natronicus at gmail.com (natronicus)]

An NTLM-over-HTTP implementation would allow more than server attacks that
require authorization (although this is handy for that, too).  You can
perform the regular SMB_RELAY attack, but you're substituting the attacker's
SMB server for an HTTP server, thus getting around the port restriction
problems.

It's been a few months since I've looked at the protocol and how this attack
works, but if my memory is correct, it is functionally:

1. (HTTP) Victor clicks link / previews email / etc and issues a GET to
http://alice, which requests Integrated Windows Authentication (IWA) with
NTLMv1.
2. (SMB) Alice begins an NTLMv1 SMB connection to Victor
3. (SMB) Victor replies to Alice with the challenge hash
4. (HTTP) Alice replies to the IWA request with the challenge hash just
received
5. (HTTP) Victor supplies the answer to the challenge request
6. (SMB) Alice copies the answer from the HTTP stream to the SMB stream and
authentication occurs
7. (SMB) Alice uploads the payload and executes

> From a functional perspective, the attack is exactly the same, but uses port
80 on the attacker's box instead of the problematic 137-139 or 445.

Additionally, with some java applets and DNS rebinding chicanery, you can
extend this attack over the internet.

Natron

On Sun, Mar 9, 2008 at 3:08 AM, Kurt Grutzmacher <grutz at jingojango.net>
wrote:

> I've done the work to get NTLM Type-message processing into MSF. At this
> tim there aren't any exploits within MSF that use the library, I just
> referenced it from some external ruby code I wrote but we should be able to
> integrate client-side NTLM-over-HTTP fairly easily for server attacks that
> may require authorization. I just haven't put it on the top of my list yet.
>
> http://grutz.jingojango.net/exploits/pokehashball.html has some of the
> information along with two exploits (hash grabber and HTTP-to-POP3 proxy
> exploit).
>
> If anyone wants to work on implementing any exploits, let me know and I'll
> work with you.
>
>
> 2008/3/7 natronicus <natronicus at gmail.com>:
>
> Is there a particular reason you're trying to use Windows for this one?  I
> > tried to mess with implementing NTLM-over-HTTP / Windows Integrated Auth a
> > few months back, but got frustrated learning Ruby and it hit the
> > projects-to-finish-later pile.  I recently saw HD mentioned in another
> > thread someone was working on this problem, but it sounded like they may be
> > focused on other items first (NTLMv2, for example).
> >
> > In any event, until the HTTP version is implemented, you're always going
> > to have problems getting it to work on Windows, because Windows is
> > incredibly greedy about those particular ports.  Why not use a Linux image
> > in VMWare instead?  If your network will allow 2 IPs for 1 MAC address,
> > there's no reason why you can't use it under (e.g.) Backtrack and still
> > have access to whatever you need Windows for.
> >
> > Just a though,
> > N
> >
> > 2008/3/7 Karlsson Anders <Anders.Karlsson at atea.com>:
> >
> > >  And it is realy hard to use port 445. I needed to disable almost
> > > every service and binding in my XP machine. After that I can not use the
> > > machine to connect to the server with old plain "net use", so I do not think
> > > using port 445 is the right way....
> > >
> > > /A
> > >
> > > _______________________________________________
> > > http://spool.metasploit.com/mailman/listinfo/framework
> >
> > _______________________________________________
> > http://spool.metasploit.com/mailman/listinfo/framework
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080310/1931d7a5/attachment.htm>