SMB Relay and Network Scanner Attacks

Wednesday, March 16, 2011

Alexander Polyakov

7d55c20d433dd60022642d3ab77b8efb

SMBRelay With No Action and Attacking Network Scanners ( Kaspersky AV 0-day)

When we talk about SMB Relay attacks, we describe some actions from an attacker which make the incoming NTLM authentication process from server "A" possible, and then relay it to server "B".

The attacker becomes successfully authenticated on server "B" by using the account from server "A".

We have already described this type of action that initializes authentication process from server "A" by using ERP functions or RDBMS stored procedures. There are many ways for server "A" to make SMB connection to attacker.

SMBRelay with No Action

In this post I will talk about situations where the attacker may do nothing. In these cases server "A" makes a connection via SMB by itself without any manipulations. How can that be? Very simply.

In big corporate networks there can be some servers with software that does an automated scan of the subnet for some purpose. This scan uses an SMB protocol and, of course, NTLM authentication. If an attacker's host is in the same subnet, he can complete the relay. Attackers just need to be patient.

Attack!!!

Which system is affected? It can be any of the client-server systems. It can be a DLP server that works with agents on workstations via SMB, or it can be the Antivirus which tries to deploy a remote agent and do other things. Here are some real examples that can prove this theory:

1. GFI LanGuard

It is very useful tool for Security Administrators. This software has a function that can grab all info from a target by using the Domain account, and it also has a schedule.

If an administrator has to install it on server "A" and configure it for scanning a subnet by a schedule (one scan in a week) with an account that has local or (worse) domain admin rights, there is a hole.

A malicious user can install a fake SMB server on his PC and relay the credentials to gain full access to the network.

2. Kaspersky AV
image

The famous antivirus software has dangerous function called "Scan IP Subnets" that is enabled by default in the Kaspersky Administration Kit (6/8).

This function makes an ICMP scan and also tries to use an SMB protocol by using a service account which can be used to run an SMBrelay attack and gain full control of secured network.

When we talk about Kaspersky Administration Kit 6, we must understand that it is difficult for the administrator to give the right privileges to the service account that needed by the AV.

By reading the documentation you finally make a decision that this account needs to be in Local Administrators group. By default, the "Scan IP Subnets" scans your subnet every 7 hours.

The attacker just needs to wait.

As the AV agent is everywhere, and the server's account has local administrator rights, it is very dangerous for a company, but very useful for penetration testing. We have done some internal penetration-tests just by using only this 0-day vulnerability.

Good Luck!

Alexey Sintsov
Digital Security Research Group

P.S. Kaspersky vulnerability team has answered after bug report:

http://support.kaspersky.com/faq/?qid=208284121

Possibly Related Articles:
21843
Network->General
Zero Day NTLM Network Security SMBRelay GFI LanGuard Kapersky AV
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.