New SMB Relay Attack Steals User Credentials Over Internet

  /     /     /  
Publicated : 22/11/2024   Category : security


New SMB Relay Attack Steals User Credentials Over Internet


Researchers found a twist to an older vulnerability that lets them launch SMB relay attacks from the Internet.



BLACK HAT USA -- Las Vegas -- A Windows vulnerability in the SMB file-sharing protocol  discovered 14 years ago and partially patched by Microsoft could still be abused via remote attacks, two security researchers demonstrated on stage at the Black Hat security conference on Wednesday.
Microsoft patched the vulnerability years ago, but it was actually a partial fix because it based the patch on the fact that the attacker must already be on the local network, said Jonathan Brossard and Hormazd Billiamoria, two engineers from Salesforce.com. In their session, they demonstrated how the SMB relay attack can be launched remotely from the Internet and seize control of the targeted system.
As it stands, the SMB vulnerability, the Windows file-sharing protocol, affects Internet Explorer running on all versions of Windows, even in the newly released Windows 10. It would be the first remote code exploit for the new operating system. It also affects Windows Edge, the researchers said.
The vulnerability is a design flaw in the SMB protocol and was discovered back in 2001. When Microsoft released its patch, it noted the attacks work only if the adversary was already on the local network. But the researchers discovered that it was possible to steal the credentials remotely and impersonate users from the Internet.
 “You visit a website you are done. You are pwned,” Billiamoria said.
Original SMB relay attacks rely on a design flaw in the protocol which has Windows systems save credentials and pass it on to a different authentication attempt. This isnt an obscure scenario, especially in corporate environments with automated systems that can connect to all other hosts, log in with administrative credentials, and perform certain management tasks. These are systems that handle software inventory, manage antivirus and software updates, collect event logs, and run backups.
In an SMB relay attack, the adversary waits for these automated systems to turn on and start scanning all the hosts on the network, at which point it grabs the login credentials. The attack was sucessful as soon as users were tricked into loading an image file in Internet Explorer.
Brossard and Billiamoria were able to modify the attack to use a rogue website to capture the SMB login data. In their attack, users are tricked into visiting a website controlled by the attackers, which then captures the users username in plaintext and the hash of the users password. The password can be  cracked in a manner of days because it uses an obsolete hashing algorithm, Billiamoria said.
This happens because IE is configured to allow automatic logon in the intranet zone by default, the researchers said. This means authentication is happening silently and attributes such as the NetBIOS computer and domain names, and DNS computer and domain names are being sent in plain text.
The researchers demonstrated the modified SMB Relay attacks by tricking the user into visiting a malicious site, opening a boobytrapped email in Outlook, and through remote desktop. The attacks rely on the adversary getting in the middle of a NTLM challenge/response session.
In a normal scenario, when the client attempts to log in, it sends a request. The server responds with a challenge for the client to encrypt a string. After the client sends back the encrypted message, the server attempts to decrypt is using the users password hash. If successful, the user is authenticated.
The attacker hijacks the challenge/response exchange, by waiting for someone else on the network to authenticate against any system on the network. The attacker can pass the same authentication attempt onward to the targeted system, such as a server. The attacker transfers to servers challenge back to the original use to encrypt the hash and then return to the server. The correctly encrypted response gives the attacker authenticated access.
There are some limitations to the attack; packet signing needs to be disabled. It is usually enabled, but there are some security tools which recommend turning it off to improve performance, Brossard said. SMB outbound also needs to be disabled.
The ideal victim would be one with no firewall on the computer or router and who lets SMB traffic from outside. And of course, using Internet Explorer. Chrome users wouldnt be vulnerable because the browser asks permission before connecting to an SMB server. However, if there are plugins installed which use SMB, that may be a risk.
The only way to defend yourself against it, is blocking the SMB ports, said Brossard. There should be egress filtering at the perimeter level. Its also a good idea to drop outgoing SMB on ports 137, 138, 129, and 445. There should also be some host-level signing, and as stated earlier, packet signing and extended protection should be enabled.
The new kind of SMB relay attack demonstrated by Brossard and Billiamoria lets adversaries upload malware or attack any service using NTLM to take over a computer.
“Literally every service uses NTLM to authenticate,” the researchers said.
 

Black Hat USA is happening! Check it out
here
.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
New SMB Relay Attack Steals User Credentials Over Internet