Metasploit mailing list archives
Windows Transparent Authentication updates
From: natronicus at gmail.com (natronicus)
Date: Mon, 19 Nov 2007 09:46:16 -0600
The RSnake posting you referred to was an email from me. Just wanted to address your three circumstances:
1. URL must be an internal IP address or hostname (no FQDN)
Yep, that's why I used NBNS spoofing to create an arbitrary computer name and point it to an external IP.
2. Server must send the correct domain workstation is a member of
I'm not sure what you mean by Server. If you're referring to the applet doing the spoofing, it doesn't need to know your domain, as it's using NBNS/WINS. NBNS doesn't care about your domain. You need to know both the domain name and the AD server's address if you're doing dynamic SOA updates to cache a fake DNS entry.
3. Server must not be accessed via the proxy
Again not sure what you mean by Server, but if here you mean the attacker's machine, that's not true. All communication between the attacker and the browser occurs through HTTP (well, DNS for the actual DNS rebinding, but that's outside the scope of this part of the attack). All other communication occurs between the applet in the browser and the localhost. Regarding the proxy to use once you've begun the auto-auth/pass-the-hash, this is what I'm working on now. (This theoretical proxy should be able to extend many metasploit exploits through the browser via DNS rebinding. There are port/protocol restrictions keeping it from allowing all exploits, and it would never work for anything that requires the victim to initiate the connection.) If anyone has code they'd be willing to release, please let the list know, as it would be appreciated. Regards, n On Nov 16, 2007 9:44 AM, Kurt Grutzmacher <grutz at jingojango.net> wrote:
Yesterday I submitted ticket #169 to update the NTLMSSP type code support in proto/smb/ui.rb. It adds a function to force negotiation away from NTLMv2 and signing as well as use bitmasking. This now makes it possible to support things like NTLM hash capturing with a predefined nonce over HTTP, IMAP, POP3, or NNTP. I've not written any auxiliary/exploit modules for this yet mostly due to lack of time but I do have code available: http://grutz.jingojango.net/exploits/pokehashball.html I've also coded up a protocol proxy that will take the authentication messages from HTTP and relay them between a POP3 server to download all available mail for a user. It's very brute-force at the moment but it does work. If I get some time to complete the entire tool I have in my head it'll include HTTP and IMAP proxying and more intelligent support for holding on to the browser and requesting authentication at-will. Check out Rsnake's blog on an idea to use DNS Pinning to fake out IE's trust zone - http://ha.ckers.org/blog/20071112/effects-of-dns-rebinding-on-ies-trust-zones/ Very interesting theory but not sure it'll work that well given you need a very specific set of circumstances for transparent authentication to work in IE: 1. URL must be an internal IP address or hostname (no FQDN) 2. Server must send the correct domain workstation is a member of 3. Server must not be accessed via the proxy That kind of limits attacks from the Internet for a large majority of locations but doesn't make it impossible. I'm excited! If anyone has any activex code that could turn a browser into a usable proxy however... let me know. Half the battle with transparent auth is getting the browser to think it's talking to a "Trusted Intranet" computer. Having a machine on the inside is easiest so this attack is best served when you're on-site doing a penetration test. So, enjoy! If you want to give a hand on writing some usable modules or expanding the exitsing project let me know. -- ..:[ grutz at jingojango dot net ]:.. GPG fingerprint: 5FD6 A27D 63DB 3319 140F B3FB EC95 2A03 8CB3 ECB4 "There's just no amusing way to say, 'I have a CISSP'."
Current thread:
- Windows Transparent Authentication updates Kurt Grutzmacher (Nov 16)
- Windows Transparent Authentication updates Jonatan B (Nov 17)
- Windows Transparent Authentication updates Kurt Grutzmacher (Nov 17)
- Windows Transparent Authentication updates natronicus (Nov 19)
- Windows Transparent Authentication updates Kurt Grutzmacher (Nov 19)
- Windows Transparent Authentication updates Jonatan B (Nov 17)