Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012 … in addition to a novel network attack
How it works
Hot Potato (aka: Potato) takes wages of known issues inwards Windows to gain local privilege escalation inwards default configurations, namely NTLM relay (specifically HTTP->SMB relay) in addition to NBNS spoofing.If this sounds vaguely familiar, it’s because a similar technique was disclosed yesteryear the guys at Google Project Zero – https://code.google.com/p/google-security-research/issues/detail?id=222 . In fact, to a greater extent than or less of our code was shamelessly borrowed from their PoC in addition to expanded upon.
Using this technique, nosotros tin lift our privilege on a Windows workstation from the lowest levels to “NT AUTHORITY\SYSTEM” – the highest grade of privilege available on a Windows machine.
This is of import because many organizations unfortunately rely on Windows trouble organisation human relationship privileges to protect their corporate network. Often it is the instance that in i trial an assaulter is able to gain high privileged access to ANY workstation or server on a Windows network, they tin work this access to gain “lateral movement” in addition to compromise other hosts on the same domain. As an attacker, nosotros ofttimes gain access to a figurer through a depression privilege user or service account. Gaining high privilege access on a host is ofttimes a critical pace inwards a penetration test, in addition to is unremarkably performed inwards an ad-hoc way every bit in that place are no known world exploits or techniques to produce thence reliably.
The techniques that this exploit uses to gain privilege escalation aren’t new, but the way they are combined is. Microsoft is aware of all of these issues in addition to has been for to a greater extent than or less fourth dimension (circa 2000). These are unfortunately difficult to create without breaking backward compatibility in addition to direct keep been leveraged yesteryear attackers for over fifteen years.
The exploit consists of three principal parts, all of which are somewhat configurable through command-line switches. Each role corresponds to an already good known assail that has been inwards work for years:
1. Local NBNS Spoofer
NBNS is a broadcast UDP protocol for refer resolution commonly used inwards Windows environments. When you lot (or Windows) perform a DNS lookup, commencement Windows volition cheque the “hosts” file. If no entry exists, it volition in addition to then endeavor a DNS lookup. If this fails, an NBNS lookup volition endure performed. The NBNS protocol basically just asks all hosts on the local broadcast domain “Who knows the IP address for host XXX?”. Any host on the network is complimentary to respond nonetheless they wish.In penetration testing, nosotros ofttimes sniff network traffic in addition to respond to NBNS queries observed on a local network. We volition impersonate all hosts, replying to every asking alongside our IP address inwards hopes that the resulting connector volition produce something interesting, similar seek to authenticate.
For privilege escalation purposes, nosotros can’t assume that nosotros are able to sniff network traffic. Why? Because this requires local administrator access. So how tin nosotros attain NBNS spoofing?
If nosotros tin know ahead of fourth dimension which hostname a target machine (in this instance our target is 127.0.0.1) volition endure sending an NBNS query for, nosotros tin arts and crafts a imitation response in addition to overflowing the target host alongside NBNS responses really chop-chop (since it is a UDP protocol). One complication is that a 2-byte land inwards the NBNS packet, the TXID, must fit inwards the asking in addition to response, in addition to nosotros are unable to run across the request. We tin overcome this yesteryear flooding chop-chop in addition to iterating over all 65536 possible values.
What if the network nosotros are targeting has a DNS tape for the host nosotros desire to spoof? We tin work a technique called UDP port exhaustion to forcefulness ALL DNS lookups on the scheme to fail. All nosotros produce is bind to EVERY unmarried UDP port. This causes DNS to neglect because in that place volition endure no available UDP source port for the request. When DNS fails, NBNS volition endure the fallback.
In testing, this has proved to endure 100% effective due to the speed nosotros are able to ship UDP packets to 127.0.0.1.
2. Fake WPAD Proxy Server
In Windows, Internet Explorer yesteryear default volition automatically seek to discover network proxy setting configuration yesteryear accessing the URL “http://wpad/wpad.dat”. This also surprisingly applies to to a greater extent than or less Windows services such every bit Windows Update, but precisely how in addition to nether what atmospheric condition seems to endure version dependent.Of course of report the URL “http://wpad/wpad.dat” wont be on all networks because the hostname “wpad” wont necessarily be inwards the DNS nameserver. However every bit nosotros saw above, nosotros tin spoof host names using NBNS spoofing.
With the powerfulness to spoof NBNS responses, nosotros tin target our NBNS spoofer at 127.0.0.1. We overflowing the target machine (our ain machine) alongside NBNS response packets for the host “WPAD”, or “WPAD.DOMAIN.TLD”, in addition to nosotros tell that the WPAD host has IP address 127.0.0.1.
At the same time, nosotros run an HTTP server locally on 127.0.0.1. When it receives a asking for “http://wpad/wpad.dat”, it responds alongside something similar the following:
1 2 3 | FindProxyForURL(url,host){ if (dnsDomainIs(host, "localhost")) provide "DIRECT"; return "PROXY 127.0.0.1:80";} |
Interestingly, this assail when performed yesteryear fifty-fifty a depression privilege user volition impact all users of the machine. This includes administrators in addition to scheme accounts. The next screenshot shows 2 users simultaneously logged into the same machine, the depression privilege user is performing local NBNS spoofing, the high privilege user is affected inwards the 2nd screenshot.
3. HTTP -> SMB NTLM Relay
NTLM relay is a good known, but ofttimes misunderstood assail against Windows NTLM authentication. The NTLM protocol is vulnerable to man-in-the-middle attacks. If an assaulter tin fox a user into trying to authenticate using NTLM to his machine, he tin relay that authentication endeavor to to a greater extent than or less other machine!The quondam version of this assail had the victim attempting to authenticate to the assaulter using the SMB protocol alongside NTLM authentication. The assaulter would in addition to then relay those credentials dorsum to the victim’s figurer in addition to gain remote access using a “psexec” similar technique.
Microsoft patched this yesteryear disallowing same-protocol NTLM authentication using a challenge that is already inwards flight. What this agency is that SMB->SMB NTLM relay from i host dorsum to itself volition no longer work. However cross-protocol attacks such every bit HTTP->SMB volition soundless operate alongside no issue!
With all HTTP traffic straightaway presumably flowing through an HTTP server that nosotros control, nosotros tin produce things similar redirect them somewhere that volition asking NTLM authentication.
In the Potato exploit, all HTTP requests are redirected alongside a 302 redirect to “http://localhost/GETHASHESxxxxx”, where xxxxx is to a greater extent than or less unique identifier. Requests to “http://localhost/GETHASHESxxxxx” respond alongside a 401 asking for NTLM authentication.
Any NTLM credentials are in addition to then relayed to the local SMB listener to create a novel scheme service that runs a user-defined command.
When the HTTP asking inwards inquiry originates from a high privilege account, for example, when it is a asking from the Windows Update service, this command volition run alongside “NT AUTHORITY\SYSTEM” privilege!
Using The Exploit
Usage is currently operating scheme dependent.It is also a fleck flaky sometimes, due to the quirks inwards how Windows handles proxy settings in addition to the WPAD file. Often when the exploit doesn’t work, it is required to exit it running in addition to wait. When Windows already has a cached entry for WPAD, or is allowing straight meshing access because no WPAD was found, it could accept 30-60 minutes for it to refresh the WPAD file. It is necessary to exit the exploit running in addition to seek to trigger it in i trial to a greater extent than later, after this fourth dimension has elapsed.
The techniques listed hither are ordered from to the lowest degree to most complex. Any technique subsequently inwards the listing should operate on all versions previous. Videos in addition to screenshots are included for each.
Windows seven – see https://youtu.be/Nd6f5P3LSNM
Windows seven tin endure fairly reliably exploited through the Windows Defender update mechanism.Potato.exe has code to automatically trigger this. Simply run the following:
1 | Potato.exe -ip -cmd [cmd to run] -disable_exhaust true |
If your network has a DNS entry for “WPAD” already, you lot tin seek “-disable_exhaust false”. This should motility the DNS lookup to neglect in addition to it should fallback to NBNS. This seems to operate pretty reliably on Windows 7.
Windows Server 2008 – See https://youtu.be/z_IGPWgL5SY
Since Windows Server doesn’t come upward alongside Defender, nosotros demand an alternate method. Instead we’ll but cheque for Windows updates. The other caveat is that, at to the lowest degree on my domain, Server 2K8 wanted WPAD.DOMAIN.TLD instead of just WPAD. The next is an instance usage: 1 | <br />Potato.exe -ip -cmd [cmd to run] -disable_exhaust truthful -disable_defender truthful -spoof_host WPAD.EMC.LOCAL |
If your network has a DNS entry for “WPAD” already, you lot tin seek “-disable_exhaust false”, nonetheless it mightiness intermission things here. Doing DNS port exhaustion causes ALL DNS lookups to fail. The Windows Update procedure may demand to produce a few DNS lookups earlier reaching out for WPAD. You would direct keep to boom the timing JUST correct to larn it working inwards this case.
Windows 8/10/Server 2012 – See https://youtu.be/Kan58VeYpb8
In the newest versions of Windows, it appears that Windows Update may no longer honour the proxy settings seat inwards “Internet Options”, or cheque for WPAD. Instead proxy settings for Windows Update are controlled using “netsh winhttp proxy…”Instead for these versions, nosotros rely on a newer characteristic of Windows, the “automatic updater of untrusted certificates”. Details tin endure works life https://support.microsoft.com/en-us/kb/2677070 in addition to https://technet.microsoft.com/en-us/library/dn265983.aspx
From the technet article “The Windows Server 2012 R2, Windows Server 2012, Windows 8.1, in addition to Windows eight operating systems include an automatic update machinery that downloads certificate trust lists (CTLs) on a daily basis.”
It appears that this role of Windows soundless uses WPAD, fifty-fifty when the winhttp proxy setting is seat to direct. Why is a fleck of a mystery…
In this instance the usage of Potato is every bit follows:
1 | Potato.exe -ip -cmd [cmd to run] -disable_exhaust truthful -disable_defender true |
If your network has a DNS entry for “WPAD” already, refer to the documentation for this province of affairs inwards Server 2008. You tin seek port exhaustion but it mightiness endure tricky.
TODO: SMB Signing?
It’s unclear whether this assail would operate when SMB signing is enabled. The exploit every bit released currently does not, but this may just endure due to lack of SMB signing back upward inwards the CIFS library we’re using. My argue to suspect that it may operate is that everything is happening on 127.0.0.1. If the signatures are host based, they may soundless match?The “New Network Attack”
Let’s remember dorsum to our NBNS spoofing attack.Using the same technique of brute-forcing the TXID, nosotros could technically perform NBNS spoofing attacks exterior of our local network. In fact, inwards theory, every bit long every bit in that place is a fast plenty connector to back upward it, nosotros should endure able to perform NBNS spoofing attacks against ANY Windows hosts for which nosotros tin beak to UDP port 137.
This truly appears to operate inwards practice, at to the lowest degree on local network, I’ve yet to successfully seek it over the Internet.
We’re releasing a modified version of the “Responder.py” tool that performs this attack. The next video demonstrates the assail on a network seat out every bit follows:
- PFSense firewall
- 10.0.0.0/24 -> Corporate LAN
- 10.0.1.0 /24 -> Server network
- From the corporate network, we’ll assail a machine on the
server network.