smb relay attack with snarf & responder · 2018. 1. 9. · •smb relay is a well-known attack...
TRANSCRIPT
![Page 1: SMB Relay Attack with Snarf & Responder · 2018. 1. 9. · •SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes](https://reader035.vdocuments.mx/reader035/viewer/2022071609/61483595cee6357ef925348f/html5/thumbnails/1.jpg)
Information Security Inc.
SMB Relay Attack
with Snarf & Responder
![Page 2: SMB Relay Attack with Snarf & Responder · 2018. 1. 9. · •SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes](https://reader035.vdocuments.mx/reader035/viewer/2022071609/61483595cee6357ef925348f/html5/thumbnails/2.jpg)
Information Security Confidential - Partner Use Only
Contents
2
• About SMB Relay
• About Snarf&Responder
• Testing Setup
• Requirements
• Installing and using Snarf/Responder
• Mitigations
• References
![Page 3: SMB Relay Attack with Snarf & Responder · 2018. 1. 9. · •SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes](https://reader035.vdocuments.mx/reader035/viewer/2022071609/61483595cee6357ef925348f/html5/thumbnails/3.jpg)
Information Security Confidential - Partner Use Only
About SMB Relay
3
• SMB Relay is a well-known attack that involves intercepting SMB
traffic and relaying the NTLM authentication handshakes to a target
host
![Page 4: SMB Relay Attack with Snarf & Responder · 2018. 1. 9. · •SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes](https://reader035.vdocuments.mx/reader035/viewer/2022071609/61483595cee6357ef925348f/html5/thumbnails/4.jpg)
Information Security Confidential - Partner Use Only
About Snarf&Responder
4
• Snarf is a software suite to help increase the value of man-in-the-
middle attacks
• Snarf waits for the poisoned client to finish its transaction with the
server (target), allows the client to disconnect from our host, and
keeps the session between our host and the target alive
• We can run tools through the hijacked session under the privilege
of the poisoned user
![Page 5: SMB Relay Attack with Snarf & Responder · 2018. 1. 9. · •SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes](https://reader035.vdocuments.mx/reader035/viewer/2022071609/61483595cee6357ef925348f/html5/thumbnails/5.jpg)
Information Security Confidential - Partner Use Only
About Snarf&Responder
5
• Responder.py: a tool that listens and responds to LLMNR and
NBT-BNS
![Page 6: SMB Relay Attack with Snarf & Responder · 2018. 1. 9. · •SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes](https://reader035.vdocuments.mx/reader035/viewer/2022071609/61483595cee6357ef925348f/html5/thumbnails/6.jpg)
Information Security Confidential - Partner Use Only
Testing Setup
6
------------------
| Domain |
| Member |
| Windows 10| +++++++ -----------------------
------------------- | Domain |
IP:192.168.10.109 +++++++++++++ | Controller |
---------------- | Server 2008 R2 |
| Attacker | ++++++++ ------------------------
| Machine | IP:192.168.10.108
| Kali Linux | ----------------------
---------------- +++++++++++++ | Windows 10 |
IP: 192.168.10.12 | Domain |
| Member |
------------------IP: 192.168.10.111
![Page 7: SMB Relay Attack with Snarf & Responder · 2018. 1. 9. · •SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes](https://reader035.vdocuments.mx/reader035/viewer/2022071609/61483595cee6357ef925348f/html5/thumbnails/7.jpg)
Information Security Confidential - Partner Use Only
Requirements
7
• Linux (Kali works fine)
• NodeJS -- Snarf is implemented in Node to take advantage of it's snazzy
event-driven I/O
• An existing MITM / redirection strategy -- Snarf will not MITM the victim, it will
only capitalize on it
- ARP poisoning
- DHCP poisoning
- LLMNR poisoning
- ICMP redirect
- GRE tunnels
![Page 8: SMB Relay Attack with Snarf & Responder · 2018. 1. 9. · •SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes](https://reader035.vdocuments.mx/reader035/viewer/2022071609/61483595cee6357ef925348f/html5/thumbnails/8.jpg)
Information Security Confidential - Partner Use Only
Installing and using Snarf/Responder
8
• Snarf
• Responder.py
![Page 9: SMB Relay Attack with Snarf & Responder · 2018. 1. 9. · •SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes](https://reader035.vdocuments.mx/reader035/viewer/2022071609/61483595cee6357ef925348f/html5/thumbnails/9.jpg)
Information Security Confidential - Partner Use Only
Installing and using Snarf/Responder
9
• Starting Snarf ( Make sure to start SnarfJS prior to Responder. This allows
SnarfJS to bind to TCP port 445 )
![Page 10: SMB Relay Attack with Snarf & Responder · 2018. 1. 9. · •SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes](https://reader035.vdocuments.mx/reader035/viewer/2022071609/61483595cee6357ef925348f/html5/thumbnails/10.jpg)
Information Security Confidential - Partner Use Only
Installing and using Snarf/Responder
10
• Adding targets
![Page 11: SMB Relay Attack with Snarf & Responder · 2018. 1. 9. · •SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes](https://reader035.vdocuments.mx/reader035/viewer/2022071609/61483595cee6357ef925348f/html5/thumbnails/11.jpg)
Information Security Confidential - Partner Use Only
Installing and using Snarf/Responder
11
• Starting Responder.py
![Page 12: SMB Relay Attack with Snarf & Responder · 2018. 1. 9. · •SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes](https://reader035.vdocuments.mx/reader035/viewer/2022071609/61483595cee6357ef925348f/html5/thumbnails/12.jpg)
Information Security Confidential - Partner Use Only
Installing and using Snarf/Responder
12
• A session comes in => Is it kept alive by Snarf each using Frank’s
credentials while originating from the original Source IP
![Page 13: SMB Relay Attack with Snarf & Responder · 2018. 1. 9. · •SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes](https://reader035.vdocuments.mx/reader035/viewer/2022071609/61483595cee6357ef925348f/html5/thumbnails/13.jpg)
Information Security Confidential - Partner Use Only
Installing and using Snarf/Responder
13
• Enumeration using smbclient
![Page 14: SMB Relay Attack with Snarf & Responder · 2018. 1. 9. · •SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes](https://reader035.vdocuments.mx/reader035/viewer/2022071609/61483595cee6357ef925348f/html5/thumbnails/14.jpg)
Information Security Confidential - Partner Use Only
Mitigations
14
• Disable LLMNR and/or NBSNS
http://www.pciqsatalk.com/2016/03/disable-lmnr-netbios.html
• SMB signing
https://technet.microsoft.com/en-us/library/jj852239(v=ws.11).aspx
![Page 15: SMB Relay Attack with Snarf & Responder · 2018. 1. 9. · •SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes](https://reader035.vdocuments.mx/reader035/viewer/2022071609/61483595cee6357ef925348f/html5/thumbnails/15.jpg)
Information Security Confidential - Partner Use Only
References
15
• Snarfhttps://github.com/purpleteam/snarf
• Responder.py https://github.com/SpiderLabs/Responder
• SMB Relayhttps://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-
with-python