View
853
Download
2
Category
Tags:
Preview:
DESCRIPTION
Turning Client Side To Server Sie
Citation preview
NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com
NGS Secure
Laurent Gaffié Senior Security Consultant
e-mail: laurent.gaffie@ngssecure.com
Turning SMB Client Side Bug To Server Side
Ruxcon monthly,
25/ 03/ 2011
Who am I ?
Who ?Laurent Gaffié
Senior Security consultant at NGS Secure
Plenty SMB research
Network/Web app pentesting monkey
Agenda
Turning What ?SMB ProtocolBrowser ProtocolNetbios Name Service
Why Turning ?SMB bug client side
How to Turn ?Netbios Name SpoofingBrowser Protocol
Demo ! Conclusion & Questions
Turning What ?
SMB ProtocolCan be used over: TCP/IP, IPX/SPX, and
NetBEUI
A protocol for printers, file sharing, serial ports
A Transport layer for DCE/RPC/IPC
Run as a Kernel driver
Turning What ?
Browser ProtocolHost announcement
Request announcement
Election
Local Master Browser
Domain Master Browser
Master Announcement
Turning What ?
Netbios Name Service (NBNS)
Name Query Service
Query any domain, UNC, smaller than 16 chars
No check, easily spoofable, leads to MITM.
Name Overwrite Demand - Can overwrite a NBT name on the subnet!
Why Turning ?
SMB bug client sideLots !
Easier to find than server side.
Doesn’t require auth.
Kernel bugs.
Can be automated with no user interaction
How to Turn ?
Netbios Name SpoofingWait for someone to connect to a corporate
share.
Spoof NBNS answer
Server now connects to your fake SMB server as a client
Grab credentials, exploit SMB security issue, escalate privileges on target RPC application, etc
How to Turn ?
Browser ProtocolSend two Reset Browser State Announcement to
the LMB, first one with the flag set to 02 (flush browse lists, restart again) and a second one set to 01 (Demote a LMB to a Backup Browser)
Win the election you’ve launched, since you control the winning criteria.
Become a LMB
How to Turn ?
Browser ProtocolLet know the PDC that you’re now a LMB by
performing a Master Announcement.
The PDC will then connect to your fake SMB server.
The Backup Browser will also perform a SMB connection to the LMB every 15mn to sync his list.
Demo
DEMO !
Conclusion & Questions
ConclusionDue to the particularity of the protocol, SMB
client side bug are as dangerous as server side in a corporate network
Exploiting SMB client side bugs on the PDC with no user interaction, payoff in a pentest…
Since this attack specificaly target the PDC, a reliable client side exploit can be easily wormable.
Conclusion & Questions
Questions ?
Recommended