Vulnerabilities / Threats

8/5/2015
11:00 PM
50%
50%

New SMB Relay Attack Steals User Credentials Over Internet

Researchers found a twist to an older vulnerability that lets them launch SMB relay attacks from the Internet.

BLACK HAT USA -- Las Vegas -- A Windows vulnerability in the SMB file-sharing protocol  discovered 14 years ago and partially patched by Microsoft could still be abused via remote attacks, two security researchers demonstrated on stage at the Black Hat security conference on Wednesday.

Microsoft patched the vulnerability years ago, but it was actually a partial fix because it based the patch on the fact that the attacker must already be on the local network, said Jonathan Brossard and Hormazd Billiamoria, two engineers from Salesforce.com. In their session, they demonstrated how the SMB relay attack can be launched remotely from the Internet and seize control of the targeted system.

As it stands, the SMB vulnerability, the Windows file-sharing protocol, affects Internet Explorer running on all versions of Windows, even in the newly released Windows 10. It would be the first remote code exploit for the new operating system. It also affects Windows Edge, the researchers said.

The vulnerability is a design flaw in the SMB protocol and was discovered back in 2001. When Microsoft released its patch, it noted the attacks work only if the adversary was already on the local network. But the researchers discovered that it was possible to steal the credentials remotely and impersonate users from the Internet.

 “You visit a website you are done. You are pwned,” Billiamoria said.

Original SMB relay attacks rely on a design flaw in the protocol which has Windows systems save credentials and pass it on to a different authentication attempt. This isn't an obscure scenario, especially in corporate environments with automated systems that can connect to all other hosts, log in with administrative credentials, and perform certain management tasks. These are systems that handle software inventory, manage antivirus and software updates, collect event logs, and run backups.

In an SMB relay attack, the adversary waits for these automated systems to turn on and start scanning all the hosts on the network, at which point it grabs the login credentials. The attack was sucessful as soon as users were tricked into loading an image file in Internet Explorer.

Brossard and Billiamoria were able to modify the attack to use a rogue website to capture the SMB login data. In their attack, users are tricked into visiting a website controlled by the attackers, which then captures the user's username in plaintext and the hash of the user's password. The password can be  cracked in a manner of days because it uses an obsolete hashing algorithm, Billiamoria said.

This happens because IE is configured to allow automatic logon in the intranet zone by default, the researchers said. This means authentication is happening silently and attributes such as the NetBIOS computer and domain names, and DNS computer and domain names are being sent in plain text.

The researchers demonstrated the modified SMB Relay attacks by tricking the user into visiting a malicious site, opening a boobytrapped email in Outlook, and through remote desktop. The attacks rely on the adversary getting in the middle of a NTLM challenge/response session.

In a normal scenario, when the client attempts to log in, it sends a request. The server responds with a challenge for the client to encrypt a string. After the client sends back the encrypted message, the server attempts to decrypt is using the user's password hash. If successful, the user is authenticated.

The attacker hijacks the challenge/response exchange, by waiting for someone else on the network to authenticate against any system on the network. The attacker can pass the same authentication attempt onward to the targeted system, such as a server. The attacker transfers to server's challenge back to the original use to encrypt the hash and then return to the server. The correctly encrypted response gives the attacker authenticated access.

There are some limitations to the attack; packet signing needs to be disabled. It is usually enabled, but there are some security tools which recommend turning it off to improve performance, Brossard said. SMB outbound also needs to be disabled.

The ideal victim would be one with no firewall on the computer or router and who lets SMB traffic from outside. And of course, using Internet Explorer. Chrome users wouldn't be vulnerable because the browser asks permission before connecting to an SMB server. However, if there are plugins installed which use SMB, that may be a risk.

"The only way to defend yourself against it, is blocking the SMB ports," said Brossard. There should be egress filtering at the perimeter level. It's also a good idea to drop outgoing SMB on ports 137, 138, 129, and 445. There should also be some host-level signing, and as stated earlier, packet signing and extended protection should be enabled.

The new kind of SMB relay attack demonstrated by Brossard and Billiamoria lets adversaries upload malware or attack any service using NTLM to take over a computer.

“Literally every service uses NTLM to authenticate,” the researchers said.

 

Black Hat USA is happening! Check it out here.

Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SurendraM929
50%
50%
SurendraM929,
User Rank: Apprentice
8/28/2016 | 3:37:01 AM
Port Number 129
Hi,

Just wanted to be sure about the Port 129 which you mentioned in the list of ports to be blocked.

I think it is port 139 instead of 129 if i am right. If yes, you can correct the information.

 

Thank you,

 
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.