[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] NTLM Multiprotocol Replay attacks

To: Andres Tarasco <atarasco@xxxxxxxxx>
Subject: Re: [Full-disclosure] NTLM Multiprotocol Replay attacks
From: Kurt Grutzmacher <grutz@xxxxxxxxxxxxxx>
Date: Sat, 15 Nov 2008 16:26:57 -0600

On Fri, Nov 14, 2008 at 09:37:46PM +0100, Andres Tarasco wrote:
> I have published a new proof of concept tool, named "Smbrelay3", that is
> able to replay NTLM authentication from several protocols like
> SMB/HTTP/IMAP/..
> http://www.tarasco.org/security/smbrelay/index.html

Great little tool from you guys! It's probably about time that I told
FullDisc about Squirtle since releasing it at this year's DefCon.

  http://squirtle.googlecode.com/

What's Squirtle? It's simply an authentication bridge that controls a
browser to allow an attacker to request NTLM authentication at any time
as long as their browser is running with the Squirtle Javascript. "Evil
Agents" begin their authentication requests against different servers or
workstations,, pass Squirtle a session ID and the relevant details to 
complete authentication (flags, nonce, server, domain, etc) and wait for 
the Type 3 response.

I've dubbed this attack "Pass The Dutchie" since we're using an already 
rolled group of hashes and are ready to pass them around to our friends.

Current "Evil Agent" support I've written:

 - NTLMAPS - HTTP proxy w/ NTLM support (plus pass-the-hash enabled)
 - IMAP Mirror - Download all IMAP folders of a victim
 - Metasploit 3.2 - PSExec against domain controllers? Yeah!

Per HD's blog post and your source code comment, MS08-068 only limits an
attackerfrom attempting to connect back to the user's workstation where
authentication began. Not a problem for Squirtle since you can attack
anything the victim has access to. Domain Admin clicked that link? Yeah,
the game is over.

If the DeepSec videos are published by Help Net Security you will see the
latest talk on Squirtle/NTLM SSO and view the demo attacks. I'll put
some video examples of Squirtle up before the end of the week.

-- 
                 ..:[ grutz at jingojango dot net ]:..
     GPG fingerprint: 5FD6 A27D 63DB 3319 140F  B3FB EC95 2A03 8CB3 ECB4
        "There's just no amusing way to say, 'I have a CISSP'."

Attachment: pgpYbVPQKIa3A.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] NTLM Multiprotocol Replay attacks
  - From: Andres Tarasco

Prev by Date: Re: [Full-disclosure] OS X malware family has a new member: OSX.Lamzev.A
Next by Date: Re: [Full-disclosure] MS OWA 2003 Redirection Vulnerability - [MSRC 7368br]
Previous by thread: [Full-disclosure] NTLM Multiprotocol Replay attacks
Next by thread: Re: [Full-disclosure] NTLM Multiprotocol Replay attacks
Index(es):
- Date
- Thread