Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

iXsecurity.tool.smbproxy.1.0.0

From: patrik.karlsson () ixsecurity com
Date: Thu, 8 Nov 2001 11:18:04 -0800



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iXsecurity Security Tool Release
SMBproxy 1.0.0
==============

Tool Description
- - ------------
SMBproxy is a semi transparent Windows NT and Windows 2000 login
proxy. This proxy implements the "passing the hash" theory. SMBproxy
uses NTLM password hashes to log into a Windows NT or Windows 2000
server. The NTLM hashes are stored in the SAM database. If someone
has access to NTLM hashes with L0phtcrack, pwdump3, a backup SAM._
file or eavesdrops an administrator NTLM login, that person has full
access to the server. NOTE: No password guessing/cracking is needed.
NTLM password hashes should be treated as clear text passwords.
The proxy works on Windows 2000, Linux and BSD.
The proxy can only be used locally on Windows 2000.

Background and detailed description
- - -------------------------------
Several documents describes the "passing the hash" theory.
The theory:
A user password is hashed. This hash is stored in the SAM database.
When the user logs in over the network the user enters her password
and the password gets hashed. This hash is encrypted with a server
challenge and sent to the server. Server decrypts the login request
with the public challenge. If the decrypted message is equal to the
hash in the SAM the login is granted.

Legend: Function H is a MD4 hash
        Function E and D is DES Encryption and Decryption
        P is the plain text password
        S is the hashed user password, S=H(P), stored in SAM
        N is the challenge
        A is client
        B is server

Windows NT/2000 login:
1. A=>B: Requests a logon to the server.
2. B=>A: N
3. A=>B: E(N,H(P))
The server can check S=D(N,E(N,H(P))) or E(N,S)=E(N,H(P)).

If Eve eavesdrops the login she can get S by D(N,E(N,H(P))).
S can also be retrieved from a SAM database.
If someone has S she can login without knowing P.

Windows NT/2000 "passing the hash":
1. A=>B: Requests a logon to the server.
2. B=>A: N
3. A=>B: E(N,S)
Ofcourse S=D(N,E(N,S)) and the login is granted.
The problem is to skip the H(P) step.
There is at least one Unix/Linux tool for this but this tool is not
transparent.

SMBproxy needs to know the server IP who it shall proxy for and a
password file in pwdump3 format,
"username:id:LANMAN hash:NTLM hash:::". Note that id and LANMAN hash
are ignored.
If someone logs into the proxy, the proxy will forward the request to
the server using the username supplied from the login request but the
proxy will change the NTLM hash with the correct NTLM hash from the
password file.

Example:
If a password file looks like this:
user1:x:x:Correct Hash:::
user2:x:x:Another Hash:::

In this example we start the proxy locally on 127.0.0.1
Command> SMBproxy -s SERVERIP -f passwordfile

If we now log into 127.0.0.1 from the client this will happen
Command> net use * \\127.0.0.1\c$ "anypassword" /u:user1
The request arrives to 127.0.0.1:139 who will forward the login
request to the SERVER. The SERVER will send a challenge back, N. The
proxy remembers N and forward N to the client. The client will then
send E(N,H("anypassword")) to the proxy. The proxy reads user1's NTLM
hash and replaces E(N,H("anypassword")) with E(N,"Correct Hash").
This is sent to the SERVER every time the SERVER requests it.

We can now use Regedt32, Explorer, PsTools, User Manager (NT4), MS
SQL over named pipes, start and stop services or any other program
against 127.0.0.1. All requests will be forwarded to SERVER.

How to use SMBproxy
- - ---------------
./smbproxy [options]
           -s* <serverip> to proxy to
           -l  <listenip> to listen to
           -p  <port> to listen to (139/445)
           -f* <pwdumpfile> containing hashes
           -v  be verbose
           -h  your reading it

Use lc3_conv.pl to convert a L0phtcrack 3 save file to pwdump3
format.

Known bugs
- - ------
You can not use the proxy _from_ a Windows NT4.
You can not bind the proxy to an external IP on Windows 2000. The
proxy works only locally on Windows 2000.

Todo
- --
Full proxy transparency with ARP redirects.

Download
- - ----
http://www.cqure.net/smbproxy/index.html

- - ------------------------------------------------

Patrik Karlsson, mailto:patrik.karlsson () ixsecurity com
Ian Vitek, mailto:ian.vitek () ixsecurity com

- - ------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBO+gKyo118uy6FU2iEQIzawCePumIhibe+jkBRiTGRGKl0r1GtecAoJLj
gj8vrMbeaHnvuOH+oYmHgK9z
=i/tn
-----END PGP SIGNATURE-----



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: