Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

New SMB Relay Attack Steals User Credentials Over Internet

Researchers found a twist to an older vulnerability that lets them launch SMB relay attacks from the Internet.

BLACK HAT USA -- Las Vegas -- A Windows vulnerability in the SMB file-sharing protocol  discovered 14 years ago and partially patched by Microsoft could still be abused via remote attacks, two security researchers demonstrated on stage at the Black Hat security conference on Wednesday.

Microsoft patched the vulnerability years ago, but it was actually a partial fix because it based the patch on the fact that the attacker must already be on the local network, said Jonathan Brossard and Hormazd Billiamoria, two engineers from Salesforce.com. In their session, they demonstrated how the SMB relay attack can be launched remotely from the Internet and seize control of the targeted system.

As it stands, the SMB vulnerability, the Windows file-sharing protocol, affects Internet Explorer running on all versions of Windows, even in the newly released Windows 10. It would be the first remote code exploit for the new operating system. It also affects Windows Edge, the researchers said.

The vulnerability is a design flaw in the SMB protocol and was discovered back in 2001. When Microsoft released its patch, it noted the attacks work only if the adversary was already on the local network. But the researchers discovered that it was possible to steal the credentials remotely and impersonate users from the Internet.

 “You visit a website you are done. You are pwned,” Billiamoria said.

Original SMB relay attacks rely on a design flaw in the protocol which has Windows systems save credentials and pass it on to a different authentication attempt. This isn't an obscure scenario, especially in corporate environments with automated systems that can connect to all other hosts, log in with administrative credentials, and perform certain management tasks. These are systems that handle software inventory, manage antivirus and software updates, collect event logs, and run backups.

In an SMB relay attack, the adversary waits for these automated systems to turn on and start scanning all the hosts on the network, at which point it grabs the login credentials. The attack was sucessful as soon as users were tricked into loading an image file in Internet Explorer.

Brossard and Billiamoria were able to modify the attack to use a rogue website to capture the SMB login data. In their attack, users are tricked into visiting a website controlled by the attackers, which then captures the user's username in plaintext and the hash of the user's password. The password can be  cracked in a manner of days because it uses an obsolete hashing algorithm, Billiamoria said.

This happens because IE is configured to allow automatic logon in the intranet zone by default, the researchers said. This means authentication is happening silently and attributes such as the NetBIOS computer and domain names, and DNS computer and domain names are being sent in plain text.

The researchers demonstrated the modified SMB Relay attacks by tricking the user into visiting a malicious site, opening a boobytrapped email in Outlook, and through remote desktop. The attacks rely on the adversary getting in the middle of a NTLM challenge/response session.

In a normal scenario, when the client attempts to log in, it sends a request. The server responds with a challenge for the client to encrypt a string. After the client sends back the encrypted message, the server attempts to decrypt is using the user's password hash. If successful, the user is authenticated.

The attacker hijacks the challenge/response exchange, by waiting for someone else on the network to authenticate against any system on the network. The attacker can pass the same authentication attempt onward to the targeted system, such as a server. The attacker transfers to server's challenge back to the original use to encrypt the hash and then return to the server. The correctly encrypted response gives the attacker authenticated access.

There are some limitations to the attack; packet signing needs to be disabled. It is usually enabled, but there are some security tools which recommend turning it off to improve performance, Brossard said. SMB outbound also needs to be disabled.

The ideal victim would be one with no firewall on the computer or router and who lets SMB traffic from outside. And of course, using Internet Explorer. Chrome users wouldn't be vulnerable because the browser asks permission before connecting to an SMB server. However, if there are plugins installed which use SMB, that may be a risk.

"The only way to defend yourself against it, is blocking the SMB ports," said Brossard. There should be egress filtering at the perimeter level. It's also a good idea to drop outgoing SMB on ports 137, 138, 129, and 445. There should also be some host-level signing, and as stated earlier, packet signing and extended protection should be enabled.

The new kind of SMB relay attack demonstrated by Brossard and Billiamoria lets adversaries upload malware or attack any service using NTLM to take over a computer.

“Literally every service uses NTLM to authenticate,” the researchers said.

 

Black Hat USA is happening! Check it out here.

Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SurendraM929
50%
50%
SurendraM929,
User Rank: Apprentice
8/28/2016 | 3:37:01 AM
Port Number 129
Hi,

Just wanted to be sure about the Port 129 which you mentioned in the list of ports to be blocked.

I think it is port 139 instead of 129 if i am right. If yes, you can correct the information.

 

Thank you,

 
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18217
PUBLISHED: 2019-10-21
ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticated denial-of-service due to incorrect handling of overly long commands because main.c in a child process enters an infinite loop.
CVE-2019-16862
PUBLISHED: 2019-10-21
Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 allows a remote attacker to execute arbitrary code in the context of a user's session via the pid parameter.
CVE-2019-17409
PUBLISHED: 2019-10-21
Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter.
CVE-2019-10715
PUBLISHED: 2019-10-21
There is Stored XSS in Verodin Director before 3.5.4.0 via input fields of certain tooltips, and on the Tags, Sequences, and Actors pages.
CVE-2019-10716
PUBLISHED: 2019-10-21
An Information Disclosure issue in Verodin Director 3.5.3.1 and earlier reveals usernames and passwords of integrated security technologies via a /integrations.json JSON REST API request.