SMB relay attacks

PS: The following are all tested by myself. It is not a theoretical article. If there is anything wrong, please make an axe. Thank you> _ <

First, we will introduce how SMB relay attacks work.

Assume that the host on the left is A, and the host on the right is B.

A tries to access B's shared service

Step 1 A said to B: Sao Nian, please let me log on to step 2 B and say to A: Sao Nian, I will give you A challenge, please encrypt your password Hash and challenge first and return it to me. I have to confirm whether you have the permission. Step 3 A said to B: I have encrypted the password. Here is scenario 1: step 4 B said to A: Well, yes. Please come in (authentication ended) Scenario 2: Step 4 B said to A: Sao Nian, no. Your identity cannot be logged in, you can try to log on to step 5 as someone else. A said to step B: Well, I'll try it with the identity you told me before. Go Back To Step 1 and repeat it.

Now, if a third party C is added between the two, and C tries to check the privacy of B, what will C do?

Is C's Practice

Step 1 A said to C: Sao Nian, please let me log on to step 2 C and say to B: Sao Nian, please let me log on to step 3 B and say to C: Sao Nian, I will give you A challenge. please encrypt your password Hash and challenge and return it to me first. I have to confirm whether you have the permission. Step 4 C said to A: Sao Nian, I will give you a challenge (this is the challenge issued by B). please encrypt your password Hash and challenge and return it to me first, I have to confirm whether you have the permission. Step 5 A said to C: I have encrypted it, and I will give you step 6 C said to B: I have encrypted it, and I will give you scenario 1: step 7 B said to C: Well, yes. Please come in (after authentication is complete, C replaces A and obtains permissions) Step 8 C said to A: Cool, no, your identity cannot be logged on (A's authentication is over) Scenario 2: Step 7 B says to C: Cool, no, your identity cannot be logged on, you can try to log on to step 8 as someone else. C: Well, I'll use the identity you told me before, you cannot log on to your identity. You can try to log on to step 10 as someone else. A said to C: Well, I will try using the identity you told me before and go back to step 1, loop down

OK. You can see that both A and B are cheated by C, which is obviously A man-in-the-middle attack.

There is another unreasonable point here. I don't know if you have found it. A wants to talk to B. How can it blow up with C?

It must be A's mistake that C is B. How does C do it?

Next, let's look at C's deception. What would you do if you were C?

1. NBNS spoofing, premise a) a B c must all be in the same LAN B) A is looking for B to use B's computer name rather than B's ip2. DNS hijacking, premise) A looks for B's domain name instead of B's ip address.

Let's repeat this attack!

Method 1: NBNS spoofing + SMB Relay

Output:

A winxp 192.168.30.129B win2k3 192.168.30.130 computer name: smbserverC kali 192.168.30.145

Use the smb_replay module in Kali msf and set SMBHOST to B (192.168.30.130)

Use the nbns_response module in Kali msf to resolve the computer name (smbserver) of B to the IP address (192.168.30.145) of C)

Sharing Winxp access to smbserver

OK. Go to Kali to check the result.

Cool, we got B's Meterpreter shell.

Principle: NBNS is broadcast, So C only needs to tell A before B: "C's computer name is smbserver ".

Method 2: DNS hijacking + SMB Relay

Output:

A winxp 192.168.30.129

B win2k3 192.168.30.130 Domain Name: pai.baidu.com

C kali 192.168.30.145

Due to limited virtual machines, I simulated B as a DNS server hacked in the intranet.

Use the smb_replay module in Kali msf and set SMBHOST to B (192.168.30.130)

Direct the domain name of DNS server pai.baidu.com to C (192.168.30.145)

Share Winxp access to pai.baidu.com

OK. Go to Kali to check the result.

The shell of B is obtained successfully.

If you pay close attention to the details, you should have a problem. If we enable NBNS spoofing and DNS hijacking at the same time, what will happen if we direct to different IP addresses?

I will tell you: Only DNS hijacking will work.

You can see it.

A first accesses A nonexistent name and captures data packets

You can see that the first packet sent by A (192.168.30.129) is a dns query.

The two attacks above are caused by A's first attempt to talk to B. If they didn't have any contact, wouldn't we have to wait for A long time?

This is too passive. I must change this situation !! How to change it? Here is what I want to talk about> _ <

UNC attack + SMB Relay

Output:

A     winxp      192.168.30.129B     win2k3    192.168.30.130C     kali         192.168.30.145

Due to limited virtual machines, I simulated B as a hacked WEB Server (domain name www. caoliu. oh)

Every day, administrators like to visit caoji on their personal computers to see what new resources are available.

I know that he will do this, so I first took the WEB permission of caojia, and then inserted such a link on the home page.

Unfortunately, he won't see this picture. If his man-machine account and password are the same as those of the server, he will lose his server. However, there is A premise that the sharing of a B C is accessible to each other. If A man or machine is outside the firewall, this will be impossible.

This is the principle. If you don't have any illustrations, just make up your mind. >_<

Upgraded SMB relay version

The above is because access from A to B causes B to be hacked, and the UNC attack still needs to be successful only when the account and password are the same. This is too two. Since SMB relay can be implemented, why don't we relay A's traffic to A itself, so the account and password must be correct. If A enables sharing and can be accessed by C, the attack will be successful. Now, let's get started. Experiment on your own!

Related Articles:

Http://pen-testing.sans.org/blog/pen-testing/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python