Has your cybersecurity been compromised?





We respect your privacy, and we hate spam as much as you. Which is why we will never share your email address with anyone.

Enquire Now

USING SMBRELAY WITH MICROSOFT ACCESS TOKENS

By Help AG Cybersecurity Analysis Team   |  Posted Thursday, 22nd May 2014

Introduction

Performing an effective yet time efficient internal assessment can be a challenge. Whether you as an auditor follow a methodology or simply “hack free style” there will always be the typical tasks and the more challenging complex ones that require more dedication. Some examples of what may be refereed to as typical attacks include:

  • Running your favorite vulnerability scanner
  • Firing up Metasploit to exploit your findings
  • Running your brute force software

Other tasks that require more dedication may include:

  • An SMBRELAY attack
  • Pass the hash
  • Token impersonation
  • ARP poisoning

This article will focus on some shortcomings of the current SMBRELAY tools that are out there and how to use it in parallel to your typical tasks. We will demonstrate how with some tweaks on the tool, it would be possible to turn the SMBRELAY attack into a very simple task that you can run in the background throughout the assessment.

Here’s what will happen, you will run it, keep it on the side and start the other tasks in your assessment. Lets assume your assessment is 7 days long, in 7 days you may be lucky enough to relay a domain administrator’s hashes and become a domain admin without putting much effort and most importantly without having to perform any token abuse attacks.

The setup

Victim 1: A workstation that is part of the domain we are targeting. We will not compromise this workstation, instead we will use it to compromise another machine. The domain admin will be using this machine during the attack.

Victim 2: A workstation that is part of the domain we are targeting. We will be getting domain admin on that machine.

Attacker: The workstation of the attacker is not part of the domain

The scenario:

The end goal is that the attacker will make it seem like victim 1 is authenticating to victim 2. Below are some statements that would simplify the concept:

  • In victim 1’s perspective, the attacker is simply a workstation which has a file being shared. victim 1 needs to download the file
  • In victim 2’s perspective, the attacker is victim 2 trying to authenticate to it

Below are the steps of the process:

Step 1: The attacker will somehow trick victim 1 into opening a shared file on the attacker’s machine

Step 2: When victim 1 does so (with domain admin privileges), Microsoft Windows will automatically ask the attacker’s machine for a “challenge” string in order to authenticate as well as the cleartext username

Step 3: The attacker will attempt to connect to Victim 2 and request for a “challenge” (as if the attacker is victim 1). The attacker will also send the same username sent to him by victim 1

Step 4: Victim 2 will generate a random string which is the challenge and send it to the attacker

Step 5: The attacker will forward that same challenge to victim 1 (as if the attacker is victim 2)

Step 6: Victim 1 will use his password hashes to further hash the challenge (this is called the response)

Step 7: Victim 1 will forward the response to the attacker in an attempt to authenticate

Step 8: The attacker will simply forward the response to Victim 2 as if he is authenticating to victim 2

Step 9: Victim 2 will forward the response and challenge as well as cleartext username sent by the attacker.

Step 10: The domain controller has the domain admin’s hashes so it uses them to hash the received challenge (from victim 2) and compare the result with the received response (from victim 2). If they matched, the domain controller will will send a message to victim 2 indicating that authentication was succefull

Step 11: The attacker is now authenticated as a domain admin on Victim 2. He will use the MS file sharing to upload a backdoor

Step 12: The attacker will use MS service manager to create a service which simply runs the backdoor

Step 13: When the service starts, the backdoor runs and the attacker will gain access to the victim’s machine as a system admin

The problem with SMBRELAY

Most windows workstations nowadays are configured to authenticate through NTLMv2 challenge and response hashes. Unfortunately the SMBRELAY tool in Metasploit and SMBRELAY2 both don’t work on NTLMv2. After performing some testing we found an interesting project called SMBRELAYX. This tool is coded in Python and it works like a charm in relaying NTLMv2 hashes.

 

RELATED POSTS

TOP MIDDLE EAST CYBER THREATS-30 AUGUST 2018

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a…

Read More

Office 365 Security: Exploring and Addressing Common Misconfigurations

In our blog last week, we highlighted the growing popularity of the Office 365 platform and then outlined the top five attack vectors against the service. Hopefully that's…

Read More

CYBER THREATS HEAT UP: TOP TIPS TO STAY

Soaring summer temperatures across the Middle East, and people working shorter hours during the Holy Month of Ramadan, translate to more time indoors and consequently, more time for…

Read More

Back to Top