NTLM Relay Attacks - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

NTLM Relay Attacks

Description:

In an environment where clients use NTLM to authenticate to network apps / resources. Attacker's machine has a 'local intranet' host name (e.g., http://laptop or ... – PowerPoint PPT presentation

Number of Views:2263
Avg rating:3.0/5.0
Slides: 15
Provided by: ericra
Category:

less

Transcript and Presenter's Notes

Title: NTLM Relay Attacks


1
NTLM Relay Attacks
  • Eric Rachner
  • eric_at_rachner.us
  • http//www.rachner.us

2
The Relay Attack Scenario
  • Assumptions
  • In an environment where clients use NTLM to
    authenticate to network apps / resources
  • Attackers machine has a local intranet host
    name (e.g., http//laptop or http//laptop209.acme
    .com)
  • Exploitability Impact
  • Victim only needs to visit attackers web site
  • Attacker can then access arbitrary network
    resources using the victims domain account

3
About NTLM
  • Part of Windows Integrated AuthN protocol suite
    provides AuthN service for a wide variety of
    application protocols (HTTP, SMB, TDS aka MS SQL,
    Exchange, etc.)
  • Enabled by default
  • Essentially a challenge-response design
  • Server transmits challenge / nonce
  • Client computes transmits response
  • Server verifies correct response w/help of domain
    controller

4
The Basic ProblemLack of mutual authentication
A client thinks its authenticating to
http//hacker, but its actually authenticating
to http//targetapp by way of the hackers
machine!
5
History Due Credit
  • 2001 First implemented by Sir Dystic of cDc as
    SMBRelay
  • 2004 Jesse Burns of iSec demonstrates updated
    SMB-based attack at Black Hat (but doesnt
    release the code.)
  • 2007 Metasploit team re-implements SMB attack,
    integrates it into development branch
  • 2008 HTTP-to-HTTP based attack implemented by
    yours truly

6
How It Begins
  • rel1autoplay1"
  • type"application/x-shockwave-flash"
  • wmode"transparent"
  • width"425"
  • height"355"
  • e
  • e
  • /iframe

7
Demo
8
Incidentally,
  • I urge you to consider this a rogue server
    problem, and not a man-in-the-middle scenario,
    insofar as the attacker does not need to
  • Poison DNS
  • Spoof ARP packets
  • Re-route traffic
  • Operate a rogue access point
  • Exploit the WPAD problem
  • or otherwise interpose themselves along the
    network path to the targeted server

9
Assumptions, Revisited
  • Attacks are easiest if browser authenticates to
    attackers machine automatically
  • Implies Internet Explorer
  • Implies a trusted host name for attackers
    machine, e.g. http//hacker.acme.com or
    http//hacker. This is possible via
  • DNS auto-registration (favorite host name
    wpad)
  • Attacker on same subnet

10
More Bad News
  • Not just an intranet scenario Internet-borne
    attacks are possible against internet-facing
    applications
  • Clients in coffeeshops easy targets
  • Clients on intranets tougher targets, but
    possibly vulnerable in tricky DNS rebinding
    scenarios
  • Credit here goes to natron who proposed the
    technique currently being researched in a 2007
    email to RSnake

11
In re. Fear, Uncertainty Doubt
  • Say, is there any reason this attack couldnt
    be leveraged in any scenario where NTLM is
    supported?
  • Handy list of possible targets posted at
    http//www.microsoft.com/products/

12
Analysis
  • No, SSL is not helpful here.
  • NTLMv2 just as vulnerable as NTLMv1
  • NTLM has numerous other problems(ref. Jesse
    Burns 2004 Moniz Stach, 2005 Grutz, et. al.
    2007)
  • 0-day? More like 2,555-day
  • Long story short migrate away from NTLM, ideally
    towards Kerberos

13
Wanna Get Scurvy?
  • http//www.rachner.us/files/scurvy/

14
Questions?
  • Eric Rachner
  • eric_at_rachner.us
  • http//www.rachner.us
Write a Comment
User Comments (0)
About PowerShow.com