SMB relay attack e Active Directory

Negli articoli Researchers find way to steal Windows Active Directory credentials from the Internet e New SMB Relay Attack Steals User Credentials Over Internet viene discusso di una possibilità di carpire le credenziali Active Directory mediante un attacco SMB Relay di un utente quando questo accede applicazioni che utilizzano SMB e l’autenticazione NTLM versione 2 (NTLMv2) scoperto da Jonathan Brossard e Hormazd Billiamoria (due ingegeneri di Saleforce.com):

“The attack, called an SMB relay, causes a Windows computer that’s part of an Active Directory domain to leak the user’s credentials to an attacker when visiting a Web page, reading an email in Outlook or opening a video in Windows Media Player”

I  ricercatori hanno mostrato a Black Hat USA 2015 che si è tenuto a Las Vegas dall’1 al 6 Agosto come è ancora possibile sfruttare una vulnerabilità legata all’SMB per cui era stata rilasciata da Microsoft una patch già 14 anni fa.

“A Windows vulnerability in the SMB file-sharing protocol  discovered 14 years ago and partially patched by Microsoft could still be abused via remote attacks, two security researchers demonstrated on stage at the Black Hat security conference on Wednesday.

Microsoft patched the vulnerability years ago, but it was actually a partial fix because it based the patch on the fact that the attacker must already be on the local network, said Jonathan Brossard and Hormazd Billiamoria, two engineers from Salesforce.com. In their session, they demonstrated how the SMB relay attack can be launched remotely from the Internet and seize control of the targeted system.”

Due sono gli anelli deboli della catena su cui si basa questo attacco, il primo è l’autenticazione NTLMv2 che in un ambiente AD viene ancora spesso utilizzata anche se in molti casi sarebbe possibile evitarla:

“In an Active Directory network, Windows computers automatically send their credentials when they want to access different types of services like remote file shares, Microsoft Exchange email servers or SharePoint enterprise collaboration tools. This is done using the NTLM version 2 (NTLMv2) authentication protocol and the credentials that get sent are the computer and user name in plain text and a cryptographic hash derived from the user’s password.”

Già nel 2001 era stato descritto come realizzare un attacco SMB relay basato su un approccio man in the middle per intercettare le credenziali ed eseguire un relay verso un server per auteticrae un utente malevolo:

“In 2001 security researchers devised an attack called SMB relay where attackers can position themselves between a Windows computer and a server to intercept credentials and then relay them back to the server in order to authenticate as the user.”

Il secondo anello debole della catena sta nel fatto che l’opzione di Internet Explorer Explorer “automatic logon only in Intranet zone.” attivata per default sembra venga ignorata:

It was believed that this attack worked only inside local networks. In fact, Internet Explorer has a user authentication option that is set by default to “automatic logon only in Intranet zone.”

However, security researchers Jonathan Brossard and Hormazd Billimoria found that this option is ignored and the browser can be tricked to silently send the user’s Active Directory credentials—the username and password hash—to a remote SMB server on the Internet controlled by the attackers.”

I due ricercatori pare abbiano trovato che il problema legato all’invio delle credenziali sia dovuto ad una DLL Windows e quindi il problema non sarebbe solo legato ad Internet Explorer ma anche ad altre applicazioni:

“They tracked the issue down to a Windows system DLL file that is used not just by Internet Explorer, but by many applications that can access URLs, including Microsoft Outlook, Windows Media Player, as well as third-party programs.

When an URL is queried by these applications, the DLL checks for the authentication setting in registry, but then ignores it, the researchers said in their presentation at the conference in Las Vegas.

This is true for all supported versions of Windows and Internet Explorer, making it the first remote attack for the newly released Windows 10 and Microsoft Edge browser, Brossard said.”

“Brossard and Billiamoria were able to modify the attack to use a rogue website to capture the SMB login data. In their attack, users are tricked into visiting a website controlled by the attackers, which then captures the user’s username in plaintext and the hash of the user’s password. The password can be  cracked in a manner of days because it uses an obsolete hashing algorithm, Billiamoria said.”

“This happens because IE is configured to allow automatic logon in the intranet zone by default, the researchers said. This means authentication is happening silently and attributes such as the NetBIOS computer and domain names, and DNS computer and domain names are being sent in plain text.

The researchers demonstrated the modified SMB Relay attacks by tricking the user into visiting a malicious site, opening a boobytrapped email in Outlook, and through remote desktop. The attacks rely on the adversary getting in the middle of a NTLM challenge/response session.”

Da parte sua Microsoft è al corrente del problema e lo sta analizzando:

“We’re aware of this matter and are looking into this further,” a Microsoft representative said Thursday via email.

Di seguito le modalità e i modi in cui potrebbe essere possibile sfruttare questo tipo di attacco secondo Brossard:

“In one scenario, they could use an SMB relay attack to authenticate as the victim on servers hosted outside of the user’s local network by using a feature known as NTLM over HTTP that was introduced to accommodate network expansions into cloud environments. In this way they could obtain a remote shell on the server which could then be used to install malware or execute other exploits.”

“If the remote server is an Exchange one, the attackers could download the user’s entire mailbox.”

“Another scenario involves cracking the hash and then using it to access a Remote Desktop Protocol server. This can be done using specialized hardware rigs or services that combine the power of multiple GPUs.”

“Stealing Windows credentials over the Internet could also be useful for attackers who are already inside a local network, but don’t have administrator privileges. They could then send an email message to the administrator that would leak his credentials when viewed in Outlook. Attackers could then use the stolen hash to execute SMB relay attacks against servers on the local network”

Ovviamente l’attacco prevede di eseguire crack della password, quindi se la password è complessa e non una parola di uso comune rappresenta un primo livello di protezione, quindi utilizzare almeno 10 caratteri con caratteri maiuscoli, minuscoli, numerici e non alfanumerici, in quanto come ricorda correttamente  Brossard le password con otto caratteri con le attuali capacità di elaborazione possono essere violate in circa due giorni:

“A password that has eight characters or less can be cracked in around two days. Cracking an entire list of stolen hashes would take the same amount of time, because all possible character combinations are tried as part of the process, he said.”

Per limitare gli attacchi oltre ad utilizzare password complesse è possibile adottare altre soluzioni come la firma di pacchetti SMB disponibile già in Windows Server 2000/2003 e Windows NT 4.0/Windows 98 a riguardo si veda Microsoft network server: Digitally sign communications (always).

“Enabling an SMB feature called packet signing would prevent relay attacks, but not the credential leaking itself or attacks that rely on cracking the hash, Brossard said. This feature also adds a significant performance impact.”

Un’altra funzionalità che può essere utile per limitare gli attacchi è l’Extended Protection for Windows Authentication (a riguardo si vedano Extended Protection for Authentication e Integrated Windows Authentication with Extended Protection).

“Another feature that could help is called Extended Protection for Windows Authentication, but it is hard to configure, which is why it’s not usually enabled on corporate networks, the researcher said.”

Ovviamente come se possibile conviene agire sul firewall per evitare che i pacchetti SMB vengano inviati su Internet bloccando in uscita le porte TCP 137, 138, 139 e 445.

“Microsoft recommends using a firewall to block SMB packets from leaving the local network. This would prevent credential leaks, but is not very practical in the age of employee mobility and cloud computing, according to Brossard. The researcher feels that a host-based filtering solution would be more appropriate.

The firewall integrated into Windows can be used to block SMB packets on ports 137, 138, 139 and 445 from going out on the Internet, but still allow them on the local network so it doesn’t break file sharing, he said”

Un altro livello di protezione è quello di utilizzare un proxy in grado di identificare siti malevoli e bloccarne le visite o se possibile limitare i siti che gli utenti possono consultare dal moneto che l’attacco mostrato da Brossard e Hormazd Billiamoria parte col portare con l’inganno su un sito malevolo.

Per maggiori informazioni si veda la documentazione della sessione di tenuta a Black Hat USA 2015 da Jonathan Brossard e Hormazd Billiamoria e disponibile al seguente SMB : Sharing more than your files….

Per alcune considerazioni sull’eventualità di evitare l’utilizzo del protocollo NTLM che di fatto impedirebbe questo tipo di attacco si vedano il post Purging Old NT Security Protocols sul Microsoft’s official enterprise support blog for AD DS and more.