Discuss the implementation of smb session hijacking

Author: phantom brigade CIEL
Phantom tour: http://www.ph4nt0m.net/bbs/
E-MAIL: 106130@SOHU.COM
Recently, SMB session hijacking has become a hot topic. In fact, the documentation on this aspect has long been complete, such as encryption mechanisms and vulnerabilities.
This article does not have any technical things, but only helps you understand the specific implementation of the attack process.
Let's start with two tools: SMBPROXY and SMBRELAY. Generally, if you get the NTLMHash password of a remote host, brute force cracking is usually used to obtain the password, SMBPROXY can be used to authenticate and log on to the remote host in the proxy mode to achieve quick access. Generally, the format of this file is as follows:
Username: id: LANMAN hash: NTLM hash :::
Admin: 1003: ccf9155e3e7db%aad3b435b51404ee: 3DBDE697D71690A769204BEB12283678 :::
In fact, if we use CAIN, SCOOPLM or LC4 may also sniff some SMB session information. The format is as follows:
UsernameDomain: "": "": Case insensitive password: Case sensitive password: Challenge
Administrator: "": "": 89E5E3F54A998398DC36E89DDD37334C801201CA39C9A5D3: 8457624154f27a5efa5

FE7B647E87C36D78616F80594123C: e3a96ff%7b9edf
It can be seen that there is a big gap between the two in form and content, but LC4 can crack the ciphertext of the two formats. In fact, SMBPROXY can only use files in the first format. As to why it cannot use the sniffing data format, we have to talk about SMB session encryption mechanism.
Early SMB protocols transmit plaintext passwords over the network. Later, the "LAN Manager Challenge/Response" Verification Mechanism (LM) was introduced, but it was easy to crack. Microsoft proposed the WindowsNT challenge/response verification mechanism, called NTLM. Now NTLMv2 and Kerberos verification systems have been updated.
If machine A tries to access A shared resource of machine B, machine A will send the username and password currently logged in for verification by machine B, at this time, machine B will randomly generate A Challenge (Challenge) and send it to machine A. Machine A encrypts the Challenge with the token key derived from the plaintext password to get A response, and then sends it to machine B, B obtains the LM Hash and NTLM Hash of the user name sent by A from SAM, calculates the token ey, and encrypts the standard DES for the challenge previously sent to A. If the comparison result is consistent between the two parties, the verification is successful. If this verification fails, the user will be reminded to enter the user name and password, which is our common verification box. The user enters the user name and password, and then uses the same method for the next round of encryption-Verification
(Note: The session mechanism here is limited to NT and 2 K. If 98 and WINME make a request to 2 K or NT, you cannot select the user name, the default user name is your current login name)
Let's take a look at the working principle of SMBPROXY, because ntlm hash is next in the file intercepted by PWDUMP. Here, the HASH is directly encrypted by DES-send-verification, this removes the need to obtain plaintext passwords.
The following is a working example:
Legend: H: Algorithm for encrypting plaintext passwords
E des encryption algorithm
D Decryption
P is the plaintext password.
S = H (P) the HASH after the plaintext password is encrypted and stored in SAM,
N challenges
Client
Server B
Windows NT/2000 login:
1. A => B: send A request
2. B => A: N
3. A => B: E (N, H (P ))
The server checks for S = D (N, E (N, H (P) or E (N, S) = E (N, H (P )).

In fact, we can use PWDUMP to obtain S. That is to say, P does not need to be cracked.

Windows NT/2000 "passing the hash ":
1. A => B: send A request.
2. B => A: N
3. A => B: E (N, S)
Sending S = D (N, E (N, S) is bound to pass host verification. At this time, we are the user identity of sending S. If you are sending an administrator's
S value. You are the administrator!

Before talking about SMBRELAY, let's take a look at the following document.
February 6, 1997, Dominique Brezinski <dominique.brezinski@CyberSafe.COM> external
Released a document on the vulnerability of the Windows NT authentication mechanism
Assume that host B and
(1) A initiates A connection request to B
(2) B sends A challenge to A (A group of random data, 8 bytes)
(3) A uses the token key from the plaintext password to encrypt the standard DES to respond to the challenge and send it to B
(4) B obtains LM Hash and NTLM Hash of A from SAM, calculates the token ey, and brings forward challenges to.
Line standard DES encryption
(5) If (4) The calculation result matches the response sent by A, A is allowed to access B
Assume that an attacker C is involved in the attack.
(1) C. Initiate a connection request to B
(2) B sends challenge D to C (a group of random data)
(3) C. Wait for A to initiate A connection request to B.
(4) When A initiates A connection request to B, C forges B to send challenge D to
(5) A uses the token key from the plaintext password to encrypt the standard DES of challenge D to obtain the response E and send it to B.
(6) C intercepts response E and sends it to B as A response to challenge D in (2) and claims that it is
(7) B obtains LM Hash and NTLM Hash of A from SAM, calculates the token ey, and carries out standard DES for challenge D.
Encryption
(8) If the calculation result in (7) matches the response sent by C, C is allowed to access B as.

 

Today, if attackers only use the common bypass sniffing method, sniffing the HASH, LM CLI-CHALL cannot get (all 0), even if their position is smb server! Here, I will give you two cases for comparison
First case: As an smb server, I use other machines as the customer's role to access a piece of data captured by my shared resources.
Administrator: "": "": 5fa055e5f1819f290000000000000000000000000000000000000000: FACEAAE8DD420A0EA8EB

B15B6FC499CF38B0C5B3B616FE38: D29F5CC5DC662A91
This is a piece of sniffing of incomplete encrypted data, because LM CLI-CHALL could not be obtained, so it could not be used by us.
2nd cases: if we act as the CLI ourselves, send a request to the SMB SERVER
Administrator: "": "": 89E5E3F54A998398DC36E89DDD37334C801201CA39C9A5D3: 8457624154f27a5efa

5FE7B647E87C36D78616F80594123C: e3a96ff4157b9edf
Here it is complete. If you break the code into LC4, the final result will be my own password.

In fact, why does SMBRELAY work when we get the complete confidential data, including ln hash, nt hash, NT SERV-CHALL, LM CLI-CHALL? The reason is that the attacker spoofs both SERV and CLI to forward all data. In this case, we can capture the cracked HASH sent by the CLI to the SER.
The following describes how SMBRELAY works:
Make A reservation: A is an attacker, TS is an SMB server, and TC is A client. A began to cheat both parties.
1: when TC attempts to access TS shared resources, it first connects to
2: A sends an attempt to access TS
3: TS confirms and allows connection
4: A pretends to be TS and sends A confirmation response to TC that allows the connection. At this time, A pretends to be TC and asks TS: "wocould you like to talk to me as if Im an NT 4 box without extended security?" (An insecure session mechanism (J session for short)
5: TS allows requests from A to randomly generate challenges and send them to.
6: A uses J dialog mode for TC and sends A group of challenges
6: TC immediately uses A to send the challenge to encrypt the current user name and password and send it to
7: A transfers data to TS
8: TS indicates that the verification is successful.
9: A disconnects from TC and directly connects to TS as TC. At this time, A can connect to TS through IPC, map to hard disk, or even obtain SHELL.
SMBRELAY redirects data through NAT (Network Address Translator) or iptables,
And port 139 of TS is bound to TC. Therefore, when we map the hard disk of TS, it is actually a hard disk of TC. This is also running SMBRELAY.
The reason the host port 139 cannot be occupied.

To better understand the workflow, we can analyze the Attack Process
Let's introduce the usage of SMBRELAY in detail.
Usage: SMBRELAY [Option]
/D num -- set the debug login level, which can be 0, 1, or 2. The default value is 0.
/E -- lists the interfaces of the local Nic. If no data is selected during data forwarding, nothing can be caught.
/Il num -- set the NIC interface number used when adding a local IP address.
/Ir num -- set the NIC interface number used when adding a proxy IP address (like the IP address of smbporxy. The default value is 1. You can use the/E parameter to list the interface numbers of the NIC.
/L [+] IP Address -- set the local IP address for receiving NetBIOS information. + Is used to set the IP address added to the NIC (network interface card) for the first time. The current IP address of the local machine is used by default.
/R [-] IP -- set the start end of the proxy IP address. Use-to set the IP address added to the NIC (network interface card) for the first time. The default value is 192.1.1.1.
/S name -- set the name of the original machine (bait IP). The default value is CDC4EVER.

Note:

1: In win2k, if the system keeps using port 139, SMBRelay will not work normally-it is bound to port 139 because Microsoft has its own self-protection system. The simplest way to solve this problem is to use the/L + parameter to create a new IP address in our own NIC (network interface card ), and your target will first connect to the new IP address, instead of your real IP address. Another method is to manually add an IP address in the control layout, and then use/L to specify the IP address.
2: if possible, SMBRelay will bind port 139 of the system, but it does not mean that it can receive connection information correctly if it can be correctly bound. When SMBRelay is bound to port 139, if the system has any connection to port 139 (including the status of TIME_WAIT), it may not work properly. Win98 will not receive any connection information. In Windows NT, SMBRelay may only receive some connection information. Because of this, I often execute several SMBRelay tasks to increase the possibility of obtaining information. In Windows 2000, SMBRelay cannot be bound if the system is using it.
3: when creating a new IP address on your computer, you must pay special attention to the NIC interface number you should specify when using the/IR or/IL parameter. Use the/E parameter to list Nic interfaces and their parameters. In the NT System