smb relay attack with snarf & responder · 2018. 1. 9. · •smb relay is a well-known attack...
TRANSCRIPT
Information Security Inc.
SMB Relay Attack
with Snarf & Responder
Information Security Confidential - Partner Use Only
Contents
2
• About SMB Relay
• About Snarf&Responder
• Testing Setup
• Requirements
• Installing and using Snarf/Responder
• Mitigations
• References
Information Security Confidential - Partner Use Only
About SMB Relay
3
• SMB Relay is a well-known attack that involves intercepting SMB
traffic and relaying the NTLM authentication handshakes to a target
host
Information Security Confidential - Partner Use Only
About Snarf&Responder
4
• Snarf is a software suite to help increase the value of man-in-the-
middle attacks
• Snarf waits for the poisoned client to finish its transaction with the
server (target), allows the client to disconnect from our host, and
keeps the session between our host and the target alive
• We can run tools through the hijacked session under the privilege
of the poisoned user
Information Security Confidential - Partner Use Only
About Snarf&Responder
5
• Responder.py: a tool that listens and responds to LLMNR and
NBT-BNS
Information Security Confidential - Partner Use Only
Testing Setup
6
------------------
| Domain |
| Member |
| Windows 10| +++++++ -----------------------
------------------- | Domain |
IP:192.168.10.109 +++++++++++++ | Controller |
---------------- | Server 2008 R2 |
| Attacker | ++++++++ ------------------------
| Machine | IP:192.168.10.108
| Kali Linux | ----------------------
---------------- +++++++++++++ | Windows 10 |
IP: 192.168.10.12 | Domain |
| Member |
------------------IP: 192.168.10.111
Information Security Confidential - Partner Use Only
Requirements
7
• Linux (Kali works fine)
• NodeJS -- Snarf is implemented in Node to take advantage of it's snazzy
event-driven I/O
• An existing MITM / redirection strategy -- Snarf will not MITM the victim, it will
only capitalize on it
- ARP poisoning
- DHCP poisoning
- LLMNR poisoning
- ICMP redirect
- GRE tunnels
Information Security Confidential - Partner Use Only
Installing and using Snarf/Responder
8
• Snarf
• Responder.py
Information Security Confidential - Partner Use Only
Installing and using Snarf/Responder
9
• Starting Snarf ( Make sure to start SnarfJS prior to Responder. This allows
SnarfJS to bind to TCP port 445 )
Information Security Confidential - Partner Use Only
Installing and using Snarf/Responder
10
• Adding targets
Information Security Confidential - Partner Use Only
Installing and using Snarf/Responder
11
• Starting Responder.py
Information Security Confidential - Partner Use Only
Installing and using Snarf/Responder
12
• A session comes in => Is it kept alive by Snarf each using Frank’s
credentials while originating from the original Source IP
Information Security Confidential - Partner Use Only
Installing and using Snarf/Responder
13
• Enumeration using smbclient
Information Security Confidential - Partner Use Only
Mitigations
14
• Disable LLMNR and/or NBSNS
http://www.pciqsatalk.com/2016/03/disable-lmnr-netbios.html
• SMB signing
https://technet.microsoft.com/en-us/library/jj852239(v=ws.11).aspx
Information Security Confidential - Partner Use Only
References
15
• Snarfhttps://github.com/purpleteam/snarf
• Responder.py https://github.com/SpiderLabs/Responder
• SMB Relayhttps://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-
with-python