turning client-side-to-server-side-ruxcon-2011-laurent
DESCRIPTION
Turning Client Side To Server SieTRANSCRIPT
![Page 1: Turning client-side-to-server-side-ruxcon-2011-laurent](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547e7421b4af9f58708b4788/html5/thumbnails/1.jpg)
NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com
NGS Secure
Laurent Gaffié Senior Security Consultant
e-mail: [email protected]
Turning SMB Client Side Bug To Server Side
Ruxcon monthly,
25/ 03/ 2011
![Page 2: Turning client-side-to-server-side-ruxcon-2011-laurent](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547e7421b4af9f58708b4788/html5/thumbnails/2.jpg)
Who am I ?
Who ?Laurent Gaffié
Senior Security consultant at NGS Secure
Plenty SMB research
Network/Web app pentesting monkey
![Page 3: Turning client-side-to-server-side-ruxcon-2011-laurent](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547e7421b4af9f58708b4788/html5/thumbnails/3.jpg)
Agenda
Turning What ?SMB ProtocolBrowser ProtocolNetbios Name Service
Why Turning ?SMB bug client side
How to Turn ?Netbios Name SpoofingBrowser Protocol
Demo ! Conclusion & Questions
![Page 4: Turning client-side-to-server-side-ruxcon-2011-laurent](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547e7421b4af9f58708b4788/html5/thumbnails/4.jpg)
Turning What ?
SMB ProtocolCan be used over: TCP/IP, IPX/SPX, and
NetBEUI
A protocol for printers, file sharing, serial ports
A Transport layer for DCE/RPC/IPC
Run as a Kernel driver
![Page 5: Turning client-side-to-server-side-ruxcon-2011-laurent](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547e7421b4af9f58708b4788/html5/thumbnails/5.jpg)
Turning What ?
Browser ProtocolHost announcement
Request announcement
Election
Local Master Browser
Domain Master Browser
Master Announcement
![Page 6: Turning client-side-to-server-side-ruxcon-2011-laurent](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547e7421b4af9f58708b4788/html5/thumbnails/6.jpg)
Turning What ?
Netbios Name Service (NBNS)
Name Query Service
Query any domain, UNC, smaller than 16 chars
No check, easily spoofable, leads to MITM.
Name Overwrite Demand - Can overwrite a NBT name on the subnet!
![Page 7: Turning client-side-to-server-side-ruxcon-2011-laurent](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547e7421b4af9f58708b4788/html5/thumbnails/7.jpg)
Why Turning ?
SMB bug client sideLots !
Easier to find than server side.
Doesn’t require auth.
Kernel bugs.
Can be automated with no user interaction
![Page 8: Turning client-side-to-server-side-ruxcon-2011-laurent](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547e7421b4af9f58708b4788/html5/thumbnails/8.jpg)
How to Turn ?
Netbios Name SpoofingWait for someone to connect to a corporate
share.
Spoof NBNS answer
Server now connects to your fake SMB server as a client
Grab credentials, exploit SMB security issue, escalate privileges on target RPC application, etc
![Page 9: Turning client-side-to-server-side-ruxcon-2011-laurent](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547e7421b4af9f58708b4788/html5/thumbnails/9.jpg)
How to Turn ?
Browser ProtocolSend two Reset Browser State Announcement to
the LMB, first one with the flag set to 02 (flush browse lists, restart again) and a second one set to 01 (Demote a LMB to a Backup Browser)
Win the election you’ve launched, since you control the winning criteria.
Become a LMB
![Page 10: Turning client-side-to-server-side-ruxcon-2011-laurent](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547e7421b4af9f58708b4788/html5/thumbnails/10.jpg)
How to Turn ?
Browser ProtocolLet know the PDC that you’re now a LMB by
performing a Master Announcement.
The PDC will then connect to your fake SMB server.
The Backup Browser will also perform a SMB connection to the LMB every 15mn to sync his list.
![Page 11: Turning client-side-to-server-side-ruxcon-2011-laurent](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547e7421b4af9f58708b4788/html5/thumbnails/11.jpg)
Demo
DEMO !
![Page 12: Turning client-side-to-server-side-ruxcon-2011-laurent](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547e7421b4af9f58708b4788/html5/thumbnails/12.jpg)
Conclusion & Questions
ConclusionDue to the particularity of the protocol, SMB
client side bug are as dangerous as server side in a corporate network
Exploiting SMB client side bugs on the PDC with no user interaction, payoff in a pentest…
Since this attack specificaly target the PDC, a reliable client side exploit can be easily wormable.
![Page 13: Turning client-side-to-server-side-ruxcon-2011-laurent](https://reader034.vdocuments.mx/reader034/viewer/2022051609/547e7421b4af9f58708b4788/html5/thumbnails/13.jpg)
Conclusion & Questions
Questions ?