Windows Transparent Authentication updates

[natronicus at gmail.com (natronicus)]

The RSnake posting you referred to was an email from me.  Just wanted
to address your three circumstances:

> 1. URL must be an internal IP address or hostname (no FQDN)

Yep, that's why I used NBNS spoofing to create an arbitrary computer
name and point it to an external IP.

> 2. Server must send the correct domain workstation is a member of

I'm not sure what you mean by Server.  If you're referring to the
applet doing the spoofing, it doesn't need to know your domain, as
it's using NBNS/WINS.  NBNS doesn't care about your domain.  You need
to know both the domain name and the AD server's address if you're
doing dynamic SOA updates to cache a fake DNS entry.

> 3. Server must not be accessed via the proxy

Again not sure what you mean by Server, but if here you mean the
attacker's machine, that's not true.  All communication between the
attacker and the browser occurs through HTTP (well, DNS for the actual
DNS rebinding, but that's outside the scope of this part of the
attack).  All other communication occurs between the applet in the
browser and the localhost.

Regarding the proxy to use once you've begun the
auto-auth/pass-the-hash, this is what I'm working on now.  (This
theoretical proxy should be able to extend many metasploit exploits
through the browser via DNS rebinding.  There are port/protocol
restrictions keeping it from allowing all exploits, and it would never
work for anything that requires the victim to initiate the
connection.)  If anyone has code they'd be willing to release, please
let the list know, as it would be appreciated.

Regards,
n

On Nov 16, 2007 9:44 AM, Kurt Grutzmacher <grutz at jingojango.net> wrote:
> Yesterday I submitted ticket #169 to update the NTLMSSP type code
> support in proto/smb/ui.rb. It adds a function to force negotiation away
> from NTLMv2 and signing as well as use bitmasking.
>
> This now makes it possible to support things like NTLM hash capturing
> with a predefined nonce over HTTP, IMAP, POP3, or NNTP. I've not written
> any auxiliary/exploit modules for this yet mostly due to lack of time
> but I do have code available:
>
> http://grutz.jingojango.net/exploits/pokehashball.html
>
> I've also coded up a protocol proxy that will take the authentication
> messages from HTTP and relay them between a POP3 server to download all
> available mail for a user. It's very brute-force at the moment but it
> does work. If I get some time to complete the entire tool I have in my
> head it'll include HTTP and IMAP proxying and more intelligent support
> for holding on to the browser and requesting authentication at-will.
>
> Check out Rsnake's blog on an idea to use DNS Pinning to fake out IE's trust zone -
> http://ha.ckers.org/blog/20071112/effects-of-dns-rebinding-on-ies-trust-zones/
>
> Very interesting theory but not sure it'll work that well given you need
> a very specific set of circumstances for transparent authentication to
> work in IE:
>
> 1. URL must be an internal IP address or hostname (no FQDN)
> 2. Server must send the correct domain workstation is a member of
> 3. Server must not be accessed via the proxy
>
> That kind of limits attacks from the Internet for a large majority of
> locations but doesn't make it impossible. I'm excited!
>
> If anyone has any activex code that could turn a browser into a usable
> proxy however... let me know. Half the battle with transparent auth is
> getting the browser to think it's talking to a "Trusted Intranet"
> computer. Having a machine on the inside is easiest so this attack is
> best served when you're on-site doing a penetration test.
>
> So, enjoy! If you want to give a hand on writing some usable modules or
> expanding the exitsing project let me know.
>
> --
>                  ..:[ grutz at jingojango dot net ]:..
>      GPG fingerprint: 5FD6 A27D 63DB 3319 140F  B3FB EC95 2A03 8CB3 ECB4
>         "There's just no amusing way to say, 'I have a CISSP'."