NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com

NGS Secure

Laurent Gaffié Senior Security Consultant

e-mail: laurent.gaffie@ngssecure.com

Turning SMB Client Side Bug To Server Side

Ruxcon monthly,

25/ 03/ 2011

Who am I ?

Who ?Laurent Gaffié

Senior Security consultant at NGS Secure

Plenty SMB research

Network/Web app pentesting monkey

Agenda

Turning What ?SMB ProtocolBrowser ProtocolNetbios Name Service

Why Turning ?SMB bug client side

How to Turn ?Netbios Name SpoofingBrowser Protocol

Demo ! Conclusion & Questions

Turning What ?

SMB ProtocolCan be used over: TCP/IP, IPX/SPX, and

NetBEUI

A protocol for printers, file sharing, serial ports

A Transport layer for DCE/RPC/IPC

Run as a Kernel driver

Turning What ?

Browser ProtocolHost announcement

Request announcement

Election

Local Master Browser

Domain Master Browser

Master Announcement

Turning What ?

Netbios Name Service (NBNS)

Name Query Service

Query any domain, UNC, smaller than 16 chars

No check, easily spoofable, leads to MITM.

Name Overwrite Demand - Can overwrite a NBT name on the subnet!

Why Turning ?

SMB bug client sideLots !

Easier to find than server side.

Doesn’t require auth.

Kernel bugs.

Can be automated with no user interaction

How to Turn ?

Netbios Name SpoofingWait for someone to connect to a corporate

share.

Spoof NBNS answer

Server now connects to your fake SMB server as a client

Grab credentials, exploit SMB security issue, escalate privileges on target RPC application, etc

How to Turn ?

Browser ProtocolSend two Reset Browser State Announcement to

the LMB, first one with the flag set to 02 (flush browse lists, restart again) and a second one set to 01 (Demote a LMB to a Backup Browser)

Win the election you’ve launched, since you control the winning criteria.

Become a LMB

How to Turn ?

Browser ProtocolLet know the PDC that you’re now a LMB by

performing a Master Announcement.

The PDC will then connect to your fake SMB server.

The Backup Browser will also perform a SMB connection to the LMB every 15mn to sync his list.

Demo

DEMO !

Conclusion & Questions

ConclusionDue to the particularity of the protocol, SMB

client side bug are as dangerous as server side in a corporate network

Exploiting SMB client side bugs on the PDC with no user interaction, payoff in a pentest…

Since this attack specificaly target the PDC, a reliable client side exploit can be easily wormable.

Conclusion & Questions

Questions ?