SMBRelay With No Action and Attacking Network Scanners ( Kaspersky AV 0-day)
When we talk about SMB Relay attacks, we describe some actions from an attacker which make the incoming NTLM authentication process from server "A" possible, and then relay it to server "B".
The attacker becomes successfully authenticated on server "B" by using the account from server "A".
We have already described this type of action that initializes authentication process from server "A" by using ERP functions or RDBMS stored procedures. There are many ways for server "A" to make SMB connection to attacker.
SMBRelay with No Action
In this post I will talk about situations where the attacker may do nothing. In these cases server "A" makes a connection via SMB by itself without any manipulations. How can that be? Very simply.
In big corporate networks there can be some servers with software that does an automated scan of the subnet for some purpose. This scan uses an SMB protocol and, of course, NTLM authentication. If an attacker's host is in the same subnet, he can complete the relay. Attackers just need to be patient.
Which system is affected? It can be any of the client-server systems. It can be a DLP server that works with agents on workstations via SMB, or it can be the Antivirus which tries to deploy a remote agent and do other things. Here are some real examples that can prove this theory:
1. GFI LanGuard
It is very useful tool for Security Administrators. This software has a function that can grab all info from a target by using the Domain account, and it also has a schedule.
If an administrator has to install it on server "A" and configure it for scanning a subnet by a schedule (one scan in a week) with an account that has local or (worse) domain admin rights, there is a hole.
A malicious user can install a fake SMB server on his PC and relay the credentials to gain full access to the network.
2. Kaspersky AV
The famous antivirus software has dangerous function called "Scan IP Subnets" that is enabled by default in the Kaspersky Administration Kit (6/8).
This function makes an ICMP scan and also tries to use an SMB protocol by using a service account which can be used to run an SMBrelay attack and gain full control of secured network.
When we talk about Kaspersky Administration Kit 6, we must understand that it is difficult for the administrator to give the right privileges to the service account that needed by the AV.
By reading the documentation you finally make a decision that this account needs to be in Local Administrators group. By default, the "Scan IP Subnets" scans your subnet every 7 hours.
The attacker just needs to wait.
As the AV agent is everywhere, and the server's account has local administrator rights, it is very dangerous for a company, but very useful for penetration testing. We have done some internal penetration-tests just by using only this 0-day vulnerability.Good Luck!
Digital Security Research Group
P.S. Kaspersky vulnerability team has answered after bug report: