SMBetray: Backdooring & Breaking Signatures

Video thumbnail (Frame 0) Video thumbnail (Frame 2787) Video thumbnail (Frame 4547) Video thumbnail (Frame 6275) Video thumbnail (Frame 7272) Video thumbnail (Frame 8427) Video thumbnail (Frame 9514) Video thumbnail (Frame 10964) Video thumbnail (Frame 12317) Video thumbnail (Frame 14599) Video thumbnail (Frame 15531) Video thumbnail (Frame 16427) Video thumbnail (Frame 18035) Video thumbnail (Frame 19457) Video thumbnail (Frame 23847) Video thumbnail (Frame 28948) Video thumbnail (Frame 31381) Video thumbnail (Frame 32961) Video thumbnail (Frame 34139) Video thumbnail (Frame 34865) Video thumbnail (Frame 37596) Video thumbnail (Frame 39321) Video thumbnail (Frame 41714) Video thumbnail (Frame 43635) Video thumbnail (Frame 44526) Video thumbnail (Frame 45376) Video thumbnail (Frame 46193) Video thumbnail (Frame 47678) Video thumbnail (Frame 48669) Video thumbnail (Frame 53099) Video thumbnail (Frame 56000)
Video in TIB AV-Portal: SMBetray: Backdooring & Breaking Signatures

Formal Metadata

Title
SMBetray: Backdooring & Breaking Signatures
Alternative Title
Backdooring and Breaking Signatures
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
When it comes to taking advantage of SMB connections, most tools available to penetration testers aim for system enumeration or for performing relay attacks to gain RCE. If signatures are required, or if the victims relayed are not local admins anywhere, that can put a real stint in leveraging SMB to gain any serious footholds in a network. Fortunately, the mentioned attacks are only the tip of the iceberg of the ways to gain RCE with insecure SMB connections – and there’s a new tool to help take full advantage of these opportunities.
Dialect Server (computing) Computer file Multiplication sign Set (mathematics) Directory service Client (computing) Twitter Operating system Software testing Communications protocol Message passing Metropolitan area network Installable File System Default (computer science) Domain name Source code Default (computer science) Execution unit Online help Windows Server Server (computing) Client (computing) Computer network Bit Twitter Data management Internetworking Software Revision control System programming Software testing Filesharing-System Information security Block (periodic table) Window Router (computing)
Point (geometry) Dialect Mapping Computer file Computer file Authentication Computer network Density of states Datei-Server Revision control Data management Mathematics Hacker (term) Communications protocol Reading (process) Writing Physical system
Sensitivity analysis Server (computing) Service (economics) Multiplication sign Computer file Shared memory Password Enumerated type Login Hash function Software Enumerated type Password Query language Software testing Physical system Vulnerability (computing) Physical system
Authentication Asynchronous Transfer Mode System administrator Maxima and minima Bit Public key certificate Public-key cryptography Entire function Connected space Electronic signature Sign (mathematics) Process (computing) Cuboid Installable File System Physical system
Random number User interface Electronic signature Plot (narrative) Microsoft Network Graphical user interface Thetafunktion Motion blur Communications protocol Message passing Metropolitan area network Sanitary sewer Directed graph Execution unit Link (knot theory) Information Server (computing) Computer file Sound effect Computer network Auto mechanic Component-based software engineering Mechanism design Event horizon Normed vector space Bloch wave Convex hull Hill differential equation Block (periodic table)
Authentication Game controller Default (computer science) Execution unit Multitier architecture INTEGRAL Server (computing) Client (computing) Limit (category theory) Time domain Message passing Cryptography Process (computing) Moment of inertia Message passing Data integrity Default (computer science) Vacuum
Authentication Dialect Server (computing) Key (cryptography) Server (computing) Authentication Core dump Client (computing) Client (computing) Group action Electronic signature Message passing Phase transition Phase transition Key (cryptography)
Email Domain name Random number Server (computing) Euclidean vector Dependent and independent variables Authentication Workstation <Musikinstrument> Motion capture Password Client (computing) Parameter (computer programming) Electronic signature Entire function Bookmark (World Wide Web) Sequence Time domain Chain Mechanism design Network topology Flag Process (computing) Information Data conversion Communications protocol Message passing Authentication Service (economics) Workstation <Musikinstrument> Polar coordinate system Server (computing) Length Client (computing) Schlüsselverteilung Disk read-and-write head Sign (mathematics) Mechanism design Type theory Number Message passing Sample (statistics) Error message Revision control Convex hull Block (periodic table) Electric current Flag
Code Client (computing) Timestamp Direct numerical simulation Hash function Encryption Flag Information Process (computing) Chi-squared distribution Data integrity Algorithm Building Computer Internet service provider Attribute grammar Maxima and minima Proof theory Message passing Hash function Direct numerical simulation Encryption Block (periodic table) Electric current Domain name Server (computing) Dependent and independent variables Algorithm Authentication Password Time domain Revision control Advanced Encryption Standard Network topology String (computer science) MiniDisc Message passing Data type Authentication Domain name Addition Dependent and independent variables Polar coordinate system Key (cryptography) Information Server (computing) Length Code Client (computing) Number Password Revision control Exception handling Communications protocol Flag
Dependent and independent variables Information Key (cryptography) Logic Server (computing) Password String (computer science) Phase transition Website Client (computing) Connected space Time domain
Random number Dependent and independent variables Password Time domain Revision control Pointer (computer programming) Sign (mathematics) Logic Flag No free lunch in search and optimization Message passing Game theory Data type Authentication Polar coordinate system Key (cryptography) Internet service provider Client (computing) Number Hash function Password Revision control Convex hull Electric current Flag
Point (geometry) Authentication Game controller Random number Server (computing) Dependent and independent variables Key (cryptography) Information Dependent and independent variables Server (computing) System administrator Bookmark (World Wide Web) Time domain Message passing Large eddy simulation Infinite conjugacy class property Encryption Gradient descent
Randomization Server (computing) Service (economics) Dependent and independent variables Authentication Workstation <Musikinstrument> Sheaf (mathematics) Password Kerberos <Kryptologie> Login Time domain Timestamp Kerberos <Kryptologie> Encryption Domain name Game controller Key (cryptography) Block (periodic table) Server (computing) Bit Datei-Server Timestamp Virtual machine Telecommunication Password
Complex (psychology) Wechselseitige Information Scripting language Hoax INTEGRAL Code Modal logic Multiplication sign Demo (music) Electronic signature Social engineering (security) Evolutionarily stable strategy Sign (mathematics) Logic Encryption Species Information security Injektivität Service (economics) Algorithm Computer file Bit Electronic signature Connected space Social engineering (security) Message passing Encryption Server (computing) Service (economics) Computer file Link (knot theory) Dependent and independent variables Authentication Password Kerberos <Kryptologie> Control flow Directory service BEEP Content (media) Time domain Revision control Kerberos <Kryptologie> Default (computer science) Game controller Default (computer science) Key (cryptography) Server (computing) Content (media) Code Login Client (computing) Directory service Datei-Server Software Logic Personal digital assistant Password Infinite conjugacy class property Game theory Backdoor (computing) Form (programming)
Wechselseitige Information Cloud computing Client (computing) Sign (mathematics) Mechanism design Phase transition Hash function Formal verification Encryption Information Process (computing) Position operator Physical system Exception handling Vulnerability (computing) Data integrity Bit Connected space Type theory Message passing Process (computing) Hash function Phase transition Authorization Encryption Information security Web page Dialect Asynchronous Transfer Mode Server (computing) Dependent and independent variables Transport Layer Security Authentication Kerberos <Kryptologie> Password Time domain Revision control Root E-learning Message passing Default (computer science) Authentication Game controller Default (computer science) Dialect Focus (optics) Key (cryptography) Information Windows Server Server (computing) Client (computing) Perspective (visual) Revision control Key (cryptography) Exception handling Spectrum (functional analysis) Windows Vista
Server (computing) Randomization Computer file Multiplication sign Time domain Computer configuration Kernel (computing) Network socket Queue (abstract data type) Energy level Software framework Metropolitan area network Stability theory Game controller Information Decimal Server (computing) Weight Connected space Cache (computing) Independent set (graph theory) Kernel (computing) Computer configuration Internetworking Infinite conjugacy class property Filesharing-System Intercept theorem
Game controller Server (computing) Mobile app Datei-Server Proxy server Information Server (computing) Data transmission Connected space Time domain Perspective (visual) Graphical user interface Spherical cap Kernel (computing) Software framework Proxy server Library (computing) Stability theory Stability theory Library (computing)
Dialect Server (computing) Injektivität Computer file Dependent and independent variables Multiplication sign Authentication Source code Directory service Drop (liquid) Mechanism design Semiconductor memory Information Task (computing) Stability theory Authentication Source code Dialect Link (knot theory) Information Real number Computer file Data storage device Content (media) Connected space Mechanism design Type theory Password Infinite conjugacy class property Key (cryptography)
Server (computing) Functional (mathematics) Dependent and independent variables Computer file Key (cryptography) Multiplication sign Demo (music) Shared memory Electronic mailing list Content (media) Message passing Word Model checking Sample (statistics) Synchronization Intrusion detection system Data conversion Discrepancy theory Error message
Cache (computing) Demo (music) Mapping Software Computer file Workstation <Musikinstrument> Shared memory Filesharing-System Gamma function
Injektivität Server (computing) Computer file Key (cryptography) Link (knot theory) Demo (music) Mapping Structural load Multiplication sign Directory service Calculus Datei-Server Connected space Cache (computing) Sign (mathematics) Personal digital assistant Window
Server (computing) Process (computing) Computer file Link (knot theory) Key (cryptography) Personal digital assistant Large eddy simulation Sheaf (mathematics) Bit Traffic reporting Window Front and back ends
Arithmetic progression
Information Demo (music) Client (computing) Window Connected space
Windows Registry Domain name Group action Computer file Information Demo (music) Term (mathematics) Source code Configuration space
Group action Information Key (cryptography) Password Programmable read-only memory Trigonometric functions Connected space
Wechselseitige Information Modal logic Client (computing) Area Sign (mathematics) Computer configuration Hash function Encryption Pattern language Aerodynamics Information security Physical system Data integrity View (database) Block (periodic table) System administrator Shared memory Computer Connected space Electronic signature Inflection point Mechanism design Category of being Message passing Phase transition System programming Self-organization Convex hull Encryption Information security Physical system Electric generator Dialect Server (computing) Consistency Authentication Simultaneous localization and mapping Virtual machine Kerberos <Kryptologie> Time domain Zugriffskontrolle Revision control Latent heat Kerberos <Kryptologie> Integrated development environment Software testing Configuration space Message passing Metropolitan area network Window Authentication Default (computer science) Raw image format Gruppenrichtlinien Key (cryptography) Online help Server (computing) Weight Client (computing) Basis <Mathematik> Password Revision control Filesharing-System Window
Principal ideal Server (computing) Direction (geometry) Kerberos <Kryptologie> Password Data storage device Client (computing) Computer programming Time domain Local Group Sign (mathematics) Bit rate Term (mathematics) Software Integrated development environment Information security Key (cryptography) Windows Server Principal ideal Feedback Computer program Core dump Data management Message passing Integrated development environment Password Self-organization Key (cryptography) Procedural programming Musical ensemble Information security Window Library (computing)
hello welcome to track 1 2 o'clock talk I hope you've learned something new about SMB this is William Martin hey guys so as you introduce my name is
William Martin for anyone saw me yesterday it's gonna be peel you're familiar I mean OSAP I'm a pen tester based out of Charlotte North Carolina I'm a supervisor at RSM us LLP and this is my second time presenting at Def Con for some B's yesterday so lessons learned from yesterday is that if you've got any questions about this talk want me to clarify or expand or get in contact with me take a note of the Twitter handle right now that's the best way you're gonna be able to reach me so it's a quick reach anyways so before we get started I want to make sure all the right people are in the room we're gonna be talking about SMB and SMB based man in the middle attacks and for red teamers this is useful to you know add a new kind of attack your tool set and the new technique to your arsenal and from blue teamers you want to know how to stop the red teamers from using what they learn today and for like the three guys curious about SMB it's also for you thank you so first things first only clarify some terminology when i meant an SMB server do not think of like a server 2012 or 2008 it is any Windows PC connected to typically connect to a domain every Windows PC runs an SMB server by default bonia our domain typically that ports opened up so that anyone can talk to it so I say SMB server and client it can be windows 7 to Windows 7 2012 to 7 2012 2.12 there is no connotation tied to the actual operating system so what is SMB in a nutshell it's a way to you know access files remotely as Microsoft solutions for a network based file-sharing file management you can
read and write files to it you can authenticate to it you can map network drives and you can actually act as some you know RPC pipes over it as you know hackers love like you know through PS
exec and whatnot what I want to clarify is that through this talk I'm gonna be talking about smb1 and sb versions 2 and versions 3 now back when Vista was released Microsoft pretty much the entire rework of the SMB protocol originally it was based on an IBM system and that's what we call like ntlm and microscope uses ntlm everywhere so the names always get mixed up but SMB version one is what particularly familiar with the like you know ms70 no 10 and things like that SMB version 2 & 3 is an entire rework of the SMB protocol and within that there are different versions other called dialects so 2.0 point 2 is the first version of SMB 2 or 3 and then you got to whine the NAT 3 oh and then 302 and etc so a typical ooh this change and SMB looks like this someone says hey what's in this folder and as two people reply you got documents desktop and you know some not password file so we live across
the hash we live for a system enumeration and we love it for spidering shares and hunting for sensitive data so it's like you know the C password vulnerability and sis fault and
obviously for ms70 no 10 now the premise of this talk and the origin of this talk is as to be signing particular how it defeats my absolute favorite attack my favorite tag is the ntlm relay attack especially against SMB servers if anyone has used in packets until I'm real a step py tool you know that is it a nutshell the attack works like this a victim says hey where is my network share and attacker says hey I'm that time puller that network share victim says cool let me login we then relay that some random server we pick and say hey let me login as this dude services yeah that's cool just hash your password with this challenge we send that back to the victim they comply we for that on to the server so really test login and then we kick the victim we ghost them and
once we have that connection we can enumerate the system we can actually commands we can dump it that that's now our box it's a person's a local admin now the thing that sucks about this attack is if anyone's run this you might
have seen this signature is required now I had a bit of confusion I just manipulated the entire authentication process for this victim yet they have somehow established a secret or trust between each other unbeknownst to me so I didn't know how how could they have done that where was there some kind of like public key you know certificate kind of thing going on um I had no idea so when I looked up what is SMB signing I got vague
descriptions and if you were a necessary guarantee you've seen this so naturally like most of you I google it and I got
its answers like it stops man middle attacks stops man in the middle attacks trust us it stops man in the middle attacks
it's Microsoft solutions to stop Manimal effects that's about it that's all the information I could find so I knew that
it protects the integrity of SMB messages because we edited after science enabled we get screwed it's required by default on DC's it occurs only after the authentication process and it stops my favorite attack when it's kind of like a dick move so I dove into the msn detox
and this was supposed to be a gift but you know whatever and I saw things like this and I saw the
things like that for a while quite a
while but eventually I found the answer
to what s would be signing actually is and we're gonna dive into that at the end of the authentication phase both the client and the server will share the same session base key it's just a sixteen byte value they then use that value to generate other keys to then sign the messages now the goal of what we're about to cover is where does that key come from and how can we compromise it well that's what a signature looks
like for anyone hasn't used wire Wireshark and a DC so the session base
key actually depends on what authentication mechanism is used so let's talk through ntlm v2 also my favorite type of authentication there
are three messages in ntlm b2 there's negotiate a challenge and an authentication so negotiate just says hey I want to login and they said some empty parameters like you can see in this capture there is no username there's no workstation there's no domain name it just says I want to initiate this conversation one flag that can be in this message it's called the negotiate key exchange flag and we're gonna get into that later but and nutshell that what that means is that once both the client the server established that shared session based key they're gonna change it again but that's that flag means we'll get to that
the challenge says cool all right hash your password with this data and then send it back to us and this contains the server challenge information and server information like the host name domain name at DNS names stuff like that the authentication message contains a lot of stuff the user name the domain the client challenged the NT proof string which in a nutshell is the hash generated by the client a bunch of response server versions things that aren't plaintext that we don't particularly care about an encrypted new session base key thing if you look in this message you'll see there's a session key value like B 4 8 5 2 whatever that only exists there if the negotiate keychains flag was set earlier that is the encrypted version of the new session based team but if they didn't negotiate that that valleys gonna be empty and they're just gonna proceed with the keys they generated on their own so I was very tactical but let's get
down to how the keys are actually generated and we need to know what h max and C Max are before we can get into that in a nutshell they are message authenticating not authentication code algorithms you can think of them if you're familiar with password salting you can think of them like a salt where you have a message and you're gonna hash that message but while you're hashing it you're include a secret value that only those that secret value can throw in that hashing algorithm to create the same hash so an H Mac or C Mac the underlying protocol might might vary like some use AES and some of you like sha-256 but in a nutshell their goal is to hash the message in addition to like some secret information so let's actually walk through generating those session-based keys so step one is we need the MT response that is the users end key hash so it goes from plaintext auntie ash step two we take all of the information from the server challenge and we put that together and we use the H knock algorithm with the password with that hash password to the NT hash and then we have our accession base B which is the NT response hash again we plug in your password hash hash tag n in addition to all of this server information that you already hashed all together it looks like that the key takeaway though is the
highlighted information is the only information we don't have in this exchange to generate the keys that protect all SMB sessions we just need the user's password which is great because they're always secure we can ever crack them that was my response
when I found out that the the key concept protecting all these connections was just their password I mean think about if TL s was protected not by some random long string generated through the through the connection established phase let's instead like the dudes password on the website is connected to so the key logic works like this you get
the password gets converted to the NT hash gets combined with all that authentication data and then that generates the accession base key once you get that session base key you can use that to then sign packets or into other versions of SPU SMB you can use that to generate the keys to sign the packets long story short this is the value we care about so as I mentioned
earlier if that flag is set and you generate that key you're just gonna use it to decrypt this one and that becomes the new one
so with that knowledge now of how those session-based keys are generated I want to go back to my favorite attack dental Emery V to relay attack and show where that trust was established and I know there are some Microsoft guys or 80 admins in here are gonna laugh this for leaving this step out so here's what it
looked like we descent the challenge response we have sent the authentication message to the server the victim at this point before the server replies has already gathered all the information required to generate that session base key so he's cool the server doesn't have the user's password unless it you know you're using you're connecting to a DC itself so the server actually sends all of that data off to the DC through a mandatory encrypted channel please trust me on that one and the DC will reply if the valid login and if it is the DC will generate the same key in the same way that the victim did and provide that to the server that's the trusted secret that we don't get so I know you're all thinking what
about Kerberos so Kerberos is a bit more
difficult to get into starting from step 0 when these are logs in to their workstation they log in and they send a request to the Kerberos server to believe the DC Kerberos will reply saying hey encrypt this timestamp with your password so I know it's legitimate we send the encrypted timestamp and the Kerberos server replies with RT DT which is arts section K we're gonna use that for most everything on the domain we're gonna use that for future communication with the DC we're gonna use that to request tickets to other resources on the network such as when we want to connect to something called a file server one this is a random file server and the DC ole block will reply with an encrypted service session key in that packet we'll
send the ticket we just received off the file server file server will assuming it's valid will reply and say hey cool you're good and if there is extended security it will reply with another encrypted session key which altogether looks like
this password turns in the Kerberos session key we got when we first logged into Kerberos that we use to decrypt the service session key we get when we ask for a ticket to a file server and if they're using that extended logic we use that last key to decrypt the now new key provided from the file server these key is then used to sign the SMB messages these are the espys session keys and the algorithm used to generate these keys and to generate the signatures vary based on the version of SMB servers and one which is md5 versions 2 and 2.1 kind of beep it up a little bit with sha-256 and verses three and three one one really beefed it up with AES 128 so now that we know the only thing protecting these these sessions RS is the integrity and the complexity of the users password let's go after it so first things first we just talked about how to how to kind of break SMB signing keys and how to break signed SMB connections but when esse be signing isn't used or we have that it's essentially HTTP without HTTPS encryption is not used we can steal copies of files passed over the wire with or without the keys and encryptions not used by default if signing is not used it's fair game you can replace every file with an identical link that execute our code you can swap out the contents of legitimate files passed over the network you can inject fake files and directories and that helps with social engineering and assigning is used and we know the password then we can do all of the adult we can also backdoor some stuff pulled from the DC by the user so an SMB version one they don't really use signing by default and an SP version two three the case is pretty much the same unless somebody requires signing on one of the sides no one uses signing so we just thought about how to break signing most the time it's not even in place for the necess also SMB version one there is no encryption so for those plain text files pass over the network we can just grab them SNP versions two and three it supports encryption version three but it's not enabled by default and enabling it is a bit of a pain so chances are you can also regardless still password steal files passed over the network
broken down there are various versions of SMB and they're supported on various types of operating system like vista came out with SMB version two and i was the first one to come out with it with 202 then you've got the latest and greatest Server 2016 using three one one and Windows 10 using three one one everyone else uses something earlier or running out earlier in between those
notable exceptions in all of this is that DC's requires to be signing by default Windows 10 2016 have protected past that always require signing if they're connected to a path that matches these pass so anything that's like something sis fault or something net log on the clients gonna require signing regardless of what the server says and that's through a process called UNC hardening one other notable exception is that if a client supports SMB version 3 as 302 or 311 then regardless of if signing is used or not at the end of the authentication phase they're going to send a message to the server saying hey just make sure all on the same page here's the information you gave me during the negotiation phases is still cool and that's a sign message so the server now has a way to kind of verify that no one messed with it in between even if they're not using signing for any of the subsequent messages only catch here is that in that message the one that verifies all on the same page it covers everything except for the authentication mechanisms used so even with that you can still downgrade them to ntlm v2 and get away with it so on the other end of spectrum smb3 1/1 is a beast and i'll give kudos to net pile on that one the SMB keys rather than just being based on the authentication mechanism used it's also based on the hash of every packet passed back and forth during the negotiation in authentication so if you edit anything then the server and the client are not gonna have the same keys and the connections going to drop so not bad on that one so recap its use on DCs and on 10 and 2016 on those paths encryption is only on sp3 bit the manual process every dialect up except for 3 1 1 can be downgrade on ntlm v2 and signing an encryption keys are at the root based on the user's password so let's attack that I built SM betray and the goal is just to build a tool to really take advantage of these Manville vulnerabilities the attacks been running before are like the relays I could describe where you know we're numerating the system if we're putting ourselves in between a victim and a server or we're trying to pop it if they have la but if they don't have either those that's pretty much where the road ends for us on SMB attacks except for you know MS 17 or patch related vulnerabilities so I wanted to take the focus instead of you know relaying or putting ourselves to the focus on the server I want to go back on the client I wanted to go back on the HTTP mindset of attacking the client so the biggest obstacle in all of that was putting ourselves in the position to attack the client so we wanted to be
right there we want to be between my buddy Damien's in the crowd we want to be between Damien and it's his DC his file share and his other file share because many users have multiple we didn't want to just pick between you know being in between Damien and this DC and that's it so we're missing a lot of data there so when I was trying to build
this tool and I was trying to put it on top of manila framework I kind of had two options the first one was through the use of an arbitrary upstream server a lot of these Manville tools will use an arbitrary upstream server as a way of MIS stability long story short you receive a connection during like an ARP cache poisoning attack iptables will redirect that connection right back to you and then in the socket layer you will in forward it on to whatever you want the catch is when you're at that layer you don't have the original destination of the connection you just hijacked so if Damien was trying to connect it was DC and I intercepted that connection I might be redirecting him to some random file share I picked and on his end that sock everybody wants so he's gonna drop the connection and it might not give me all the things I want I want him using that connection so I can take advantage of every opportunity I want him downloading file so I could steal him over the wire the other opportunity for a man little tool to kind of you know take advantage of that was through the use of net filter cue that filter queue really gets down to the kernel level allows you to edit those packets and intercept those packets live time so you don't have to worry about losing the destination information as you're applying this intercept so you can put yourself in between all of those servers only catch is that when you burn
yourself in between all those servers
Python is what I was using and Python would just snowball it would drag what would seem very quick to us was eons for TCP so this only solution that I found to do a full transparent millaa millaa tack was killing me because it wasn't fast enough it wasn't parsing the data fast enough to pass the information back on so I tried to combine them so I get the solution that I wanted I create a little library called EBC lab which I was kind of play on there was there was a tack app and there was a better cap so you know cheek usually I put EBC for even better cap as a Manorville tcp kind of framework so it gives you all of the freedom of a transparent proxy built on nfq where you can just say hey put myself in between damien and whatever he's talking to without editing it or if I choose to with the connection stability of a better cap with an upstream proxy and
that's the technical of how it works long story short you get the packet nfq rather than trying to edit the packet the entire time do it and do whatever attack you intended instead just performs one task which it does pretty quickly of this wide the connection doesn't drop nfq will get the packet it will just take the source and the destination information and then store in the shared piece of memory and then pass it on that gets redirected like the first type of animal attack to a TCP server and with there you have the stability of TCP TP TCP server will reach out to that shared memory find out where this dude was actually trying to go to and then builds that connection dynamically out there so once you receive a connection that exists it just passes through the TCP server like business as usual so now that we can put
ourselves in between the server that we want to hit and the user let's go ahead and let's start attacking let's downgrade the dialect and the authentication mechanisms use let's steal a passive files that I've been harping on let's inject some files that swap out some content and let's replace files with an identical link so that when they click it it launches that thing and of course if we know the password for the user let's just leverage that information to break those session keys so the way
essent betray is broken down kind of looks like this we put ourselves on between the victim and whatever server they want even multiple servers at a time the victim will say hey what's in this folder and that request occurs typically when you open up a folder in a share and it starts listing all the files and folders in there we pass that on to the receiving server receiving server will reply saying here the O file1 file2 will get that and if we know the keys or it's an insecure session we'll throw on our own file in there or we'll modify the details of the files that were just list it like their file size the user might request one of the files we just lied about and said it was in that folder now instead of passing that on to the server because the server would reply with an error saying that file doesn't exist we send them a convenient function SMB called an echo smv loves to keep its messages in sync each request and response has a numeric ID so if I say I'm gonna pick on Damien again if I say hi Damien that has a message of one when he replies that's a message ID of one that conversations concluded if I say another thing to him message ID two to your plasma message ID two that helps verify that we haven't missed anything in this conversation but if the user just requested a file that does not exist and we're not going to pass it on to the server there will now be a discrepancy and how they talk to each other their IDs are gonna be myth misrepresented and they're gonna be off so to keep them in sync for every request that is completely forged or malicious by the victim that we're handling we're gonna send an echo request the destined server when the server replies that echo we've now incremented the messages again and now we're gonna apply to the victim with whatever we wanted and that way when
they continue their conversation with each other and no one will identify that they've been that they've been a swindled old word so now let's show a
brief demo what this gonna look like so assume we've done an ARP cache poisoning attack on this victim and we're between them and a switch on the other on the other end of the switch it's gonna be like a DC and there's gonna be just some file share
so first things first we're just logging into a users workstation to show you what a non attack scenario looks like what his average PC sees he's got a file share map drive called some network share and there are some files in there keep metal note of the files that you see because we're gonna be injecting some and removing some cool so now we're
gonna launch the ARP cache poisoning attack to really put ourselves in between him and whatever he wants to talk to and also know the server that he just connected to the one with the files and the his map network drive requires SMB signing we've got a file containing a lot of pop credentials so if you've been running like an L M&R and NTN a NetBIOS poisoning attack on your land you might have these credentials we're gonna load these credentials into the tool itself it's just gonna use them and when it sees a connection coming from that user it's gonna try to leverage those credentials to pop the SP sign the keys the attack we're running is gonna be a link swap all attack as well as an inject files inject files intuitively just injects files it makes files appear in the directory that don't actually exists in the directory and they link swap all is any file at all we're gonna replace it with instead a link that will run whatever we want in this case we're just running calc and we're running calc because when I was writing up this demo I didn't have time to fight with Windows Defender cuz I've been kicking ass lately so calc was easy enough
it's now Paul Davis he's gonna log back into his PC you can see we capped his hash and in the background you can see that we its report that we broke his section base key through both ntlm b2 and cut off a little bit but it says Kerberos and now it shows that we just injected some files so click me inject me seems legit all those the text file that we opened up earlier is now a link and when opened will run whatever we want in this case it was calc inject me a totally fictitious file it doesn't exist on the server he thinks he's talking to is now there and any file [Applause] thank you any file that this user is now downloading or opening either directly or indirectly you know through back-end processes and windows we will be passively stealing a copy of and to show
the impact of that I'm gonna run the attack again but I'm gonna run the
attack again with no credentials and the only thing I'm gonna do is I'm gonna passively steal stuff so this is useful if you are on a lan they're pretty hard and you can't get la anyway you can't crack their creds but you need to still you know make some make some progress on hacking them so we're removing the credentials and we're just going to
listen passively as it turns out when
windows starts up it downloads a lot of useful information from the DC and if you are lucky enough to be running attack like this or if you dass your client or you das your victim to convince them to reboot their PC you might just be able to capture all of these valuable pieces of information from the DC I recorded this demo on a PC from 2012 so it's not going to be the quickest thing PC just started up and
we've already intercepted some connections Paul Davis is logging in
and we're now stealing some data from the group policy including the registry pull file which contains a lot of valuable information in terms of registry saying configure for the users on the domain so that was the demo
[Applause] so once I get photo then we posted this evening cool so now that we've just kind of demonstrated that SB keys are based on passwords and that even without the password we can still intercept and modify a lot of connections and we can especially download some useful information from the group policy how do we stop this from happening net pile is
the guy who I would argue is in charge of SMB globally disabled SMB one second
thing even though we just demonstrating that you can defeat SMB signing that's why no means any excuse not to require it there is an for those who haven't run necess camps there's an option to just support SMB signing and there is one to require it always and I highly recommend you require it always unless you're running XP systems you're gonna be able to support that
so SSB version 3 introduced encryption and I would love to see organizations really start pushing this thing out any smb3 client supports it so if you're running anything later than Windows 7 in your org you can put encryption pretty much everywhere you want and it is actually more efficient than signing the messages so if you you can support encryption or you can require it so if you support it then smb3 negotiations protected if they negotiate that you can't support encryption they're gonna encrypt the session so UNC hardening is one of the features used int by default by Windows 10 2016 to protect the sysvol and the net logon shares for any connection going out to something that looks like that but you can manually require that on other or any other kind of path so if you know in your organization that there is a very specific file share um that your users are connecting to that you wanna make sure it's pretty locked down you can lock down from the server side by requiring signatures or requiring encryption you can also lock it down on the client side rent them from connecting to rogue servers by throwing in this u.s. UNC hardening saying hey if you're connecting to this server a server that looks like this do XYZ man I hate to say this because as a pen tester I love ntlm but ntlm really is outdated it was made near the 90s I was made near the 90s so if you can run through audits in your organization see where ntlm is used and if you can't disable it this car plunk just out of those property as a car block if you can't disable it across the org then find out where to use and then restrict it just to those systems for me that screws me over but I just wall here for security now Kerberos passed harmony armoring is an interesting thing we showed that if we know the users password we can intercept their Kerberos authentication phase and steal their their Kerberos session key from the initial logon and then use that to steal their Kerberos ticket session keys from every subsequent request that can be protected but it requires Kerberos fast offering which is in a nutshell any requests going to the Kerberos server is first locked up with the man I'm hoping my details right with the Machine accounts Kerberos tickets which means unless you can pop the machine account password with that obscenely large password you're not gonna be able to modify or intercept that that uh Kerberos session key even if you know the password so huge precautions when
enabling fast it requires Windows 8 and 2012 or later throughout the environment just like SMB signing it can be courted or it can be required if you just support it we're gonna take advantage of the of the benevolence of the server and just down great clients but if you require it then you better make sure that all your clients can connect to it otherwise you're going to brick I'm not gonna be able to talk to the DC so Microsoft has great documentation on how to push out a fast armoring and I'd highly recommend you going through the procedure of pushing this out through your organization no always use pass rates and not passwords a lot of the SNB signing corrupt that we just covered in terms of breaking the keys or why's that we you know compromise their password so push out strong passwords push out strong passwords and require SMB signing and you're a lot better than you're worth being of the stock even if you don't do all the other complicated involve things like fast armoring alright so pretty much leaves us to like a QA but right now I want to acknowledge the few people have contributed on this talk Ned Pyle is principal program manager at Microsoft and it was awesome I did my own research on MSDN and I said hey to the best of my knowledge here's how SMB works and here the various circumstances that it behaves is this cool and he was awesome and in terms of providing feedback and giving me direction on yes and no things so I didn't give you guys misinformation so he was awesome Matthew George also worked side by side with Ned on this one to kind of spot check me on this and core security for the in packet library for which all of us in betray is based on and I use their library when I was trying to figure out more on how as to be signing works so that's about it
[Applause] [Music] [Applause]
Feedback