Exploiting SMB and Kerberos
to obtain Administrator access
The present article aims to demonstrate the main steps to perform an invasion test. Serving as a solution to the growing demand for increased need to keep people connected, Wireless networks have come to play a key and indispensable role in corporate networks. These networks, in turn, need effective monitoring and the professionals who manage them must understand the risks and map out the existing vulnerabilities. The procedures for detecting safety flaws can be automated through tools or made by a qualified professional who will manually validate each critical point, this being the Pentester. This work aims to demonstrate the steps of performing an intrusion test in order to obtain critical data such as Network Administrator access. By using intrusion testing, network administrators can identify vulnerabilities and thus propose improvements and fixes to avoid being the target of some invasion by digital criminals.
Keywords: Pentest. Invasion. Access. Security. Networks.
Existing in most homes and corporate networks, Wireless technology has already gained a lot of space and confidence, due to its malleability and ease of installation, Wireless technology has achieved great popularity.
Currently, based on the fact of the need to provide access to customers and employees, there is a need to maintain a hybrid connection environment, so it is extremely important to validate the security of this environment. This article addresses the topic of vulnerability analysis in the wireless network for gaining privileged access, a subject that deals with issues related to professional activities of invasion testing, the steps for implementing a Pentest are discussed.
For the development of the article the type of exploratory or qualitative research was used by means of practical tests of data packet capture as approached in the concept of network analytic sniffing. Resulting in the perception of the need to implement other techniques for a better result in obtaining data.
The problem investigated is a practice of invasion in a corporate network, through a network, shared wirelessly with suppliers, suppliers and other employees of the company. To test the concepts, the techniques called Sniffing, Pass-The-Hash and SMB Relay were used with the V1 and V2 versions of SMB, with the help of the responder and metasploit tools.
According to ABNT NBR ISO / IEC 17799: 2005 (2005, p.9), “information security is the protection of information of various types of threats to ensure business continuity, minimize business risk, maximize return on investments and business opportunities “.
“First of all, it is often difficult to get support from the organization’s own top management to make the necessary investments in information security. The high costs of the solutions contribute to this scenario, but ignorance of the importance of the topic is probably still the biggest problem. ” (CAMPOS, 2007, p.29)
Therefore, the principle of Information Security, shows that it is necessary to take care of the information, or any other data stored or that travels in network. Information Security aims to ensure that the data is maintained and protected, in order to prevent important information from falling into the wrong hands.
The ability to connect everything from home appliances, vehicle systems, corporate and home networks, is attributed to the wireless technology suite called Wireless. In 1901, Guglielmo Marconi using the Morse code demonstrated a wireless traffic from a telegraph transmitting information from a ship to the coast, where Tanenbaum (2003) states that because of these facts, wireless communication is not a new idea.
According to Pinheiro (2003), the implantation of wireless networks, makes possible the communication demand where the wired infrastructure can’t be applied, however with the result that it is necessary to evaluate the cost/benefit ratio, in order to make feasible its application. However, according to Cardoso (2005), wireless technology becomes relevant while there are cost reductions, customer satisfaction and optimizations of work.
According to Soares (1995), wireless networks play an important role, enabling communication in places of difficult access where it is impossible to install metallic cables or fiber optics.
Sniffers work using a promiscuous mode network interface. Developed to monitor, filter and capture packets on a network, sniffer is an application commonly used for these purposes, according to Basta and Brown (2015). To Nakamura (2007), although created to verify network problems, these same software can also be used for illicit purposes, since while information travels in pure text, they can be easily interpreted by a malicious user.
Also for Wendt and Nogueira Jorge (2012), sniffers are used by cybercriminals in order to detect sensitive data of access of computer users, such as, accessed sites, emails and passwords. According to the authors the main purpose of using a sniffer by a cybercrime is its later use, after monitoring the traffic and thus analyzing the transmitted data.
According to the authors Basta and Brown (2015), basically the sniffers can work with all the protocols of the network model TCP/IP, however to observe the network traffic the sniffer uses the network interface card (NIC) being responsible to receive the traffic in the network segment in which it is. In this way the sniffer will only be able to read the traffic in the network segment in which the computer is connected, requiring in turn other techniques to reach the communication of the other segments.
Pentest is a way to validate and analyze vulnerabilities in a computer environment, in order to anticipate attacks that could cause some damage or damage. According to Weidman (2014), through Pentest seeks to highlight the flaws and vulnerabilities that could be exploited by potential malicious invaders. Defined as a multidisciplinary science, it is a comprehensive method for testing security, based on hardware, software and people, this process involves a deep analysis of the system for possible vulnerabilities that try to access resources. In most cases, obtaining databases and other confidential information is the focus of the Pentester.
The intrusion test helps to protect the organization, avoiding financial losses, preserving the corporate image, information security. This procedure evaluates the effectiveness of existing security and provides the supporting arguments for future investments or upgrading of security technologies. For Engebretson 2014 there are four fundamental steps for the perfect execution of the intrusion test and can be used essentially: Recognition, Scanning, Fault Scanning, Post-Scanning and Access Preservation.
Reconnaissance – is the act of gathering preliminary data or intelligence on your target, collecting all the interesting information possible. It can be actively (meaning you are directly touching the target) or passively (which means your recon is being performed through an intermediary).
Scanning – activity that corresponds to the process of identifying active systems and their respective services. You can use some vulnerability scanning tool to collect information about the target.
Exploiting, Gaining Access – requires the control of one or more network devices to extract data from the target or to use that device to then initiate attacks on other targets, this is the stage where the professional proves whether the vulnerability can be exploited or not.
Maintaining Access – at this stage, the attacker must remain hidden, a persistent connection must be maintained.
2.5 SMB Relay
Most networks have multiple automated systems that connect to all network hosts to perform various management tasks, typically using access credentials such as Administrator or some other privileged access. Some systems such as software inventory systems, antivirus updates, backup systems, software updates, and patch management, event log collectors, require this type of access.
For Bagget (2013) SMB Relay attacks allow us to capture these authentication attempts and use them to access systems on the network. For Bagget (2013) NTLM is a challenge / response protocol, where authentication occurs when the right response is returned, the client attempts to log in and the server responds with a challenge.
Basically the authentication process occurs as follows, the server says, “If you are who you say you are, then encrypt this thing with your hash”. The client then encrypts the challenge and sends back the encrypted challenge response. The server then attempts to decode this encrypted challenge response with the user’s hash password. The process can be analyzed in the image below.
Figure 1: Schematic of the SMB authentication process.
Font: Bagget (2013)
Still according to Bagget (2013), in SMB Relay attacks, the attacker enters the middle of this exchange. The attacker chooses the destination server he wants to gain access to, and then the attacker expects something or someone on the network to authenticate to his machine. As usually the defense or monitoring services work to identify the new device on the network and then try to connect, the attack concludes successfully because when trying to connect the service sends the hash to the malicious device.
The authentication flow occurs as follows, when the automated process connects to the attacker, it passes the authentication attempt to the target. The target then raises a challenge and sends it back to the attacker. The attacker sends the challenge back to the source scanning system. The scanning system encrypts the hash with the correct password hash and sends it to the attacker. The attacker passes the correctly encrypted response back to its target and authenticates successfully.
The complete process can be seen in the image below, in blue the original communication and in red the communication modified by the attacker.
Figure 2: Schematic of the SMB Relay authentication process
Font: Bagget (2013)
It was divided in two parts, the first one is the bibliographical research to improve the foundation on the subject, a technique that, according to Gil (2008), is to be developed based on material already elaborated and can be found in books and scientific articles. The next step is developed with the aid of qualitative research through practical tests of packet data capture as addressed in the concept of network analytic sniffer and attack SMB Relay.
The analysis took place in a corporate network, where the wireless network structure was used for data collection. The wireless network used was identified by the name of “Metadata”.
Data collection was done exclusively on the wireless network with the help of the program called responder installed on a DELL brand notebook (Studio 14 model) with the Kali Linux operating system. The software “responder” was executed on 04/09/2017 at 09:00 AM for 2 minutes to obtain data for the analysis, then Metasploit was used to exploit the vulnerability with the hash of the Administrator user.
For the analysis of data it was necessary to approach the exploratory and systematic analysis of the data, where a search of terms more used to identify information of users was done, as the “responder” tool itself provides automatically. After collecting the necessary information, Mestasploit was run to exploit the vulnerability.
In this chapter, we will discuss the sampling of data based on the concepts of the techniques presented, as extremely sensitive data was detected, such as administrator user password hash, IP, MAC address, these have in turn been hidden. Based on the results obtained through the automatic scanning with the aid, it was possible to attest by manual means the veracity of the failures found, attending only the identification of the HASH of the Administrator user to attempt access to restricted servers, as well as the SRV- XXXXXX.
Due to the high level of confidentiality, none of the techniques and vulnerabilities have been and will not be under any circumstance discussed in this document, since the leakage of this information may lead to irreparable moral, legal and financial damages, however, below is the proof-of-concept screens.
As Pentest carried out on the wireless network and then fired the test against a server of high importance, informed by the company in order to attest the obtained hash, it was possible to conclude that there was the fault coming from Kerberos, where we can collect and exploit the vulnerability as it may be observed in the log and image below.
Administrator user data
[1m_[34mCME_[0m 192.168.XXX.XXX:445 SRV-XXXXXX _[1m_[32m[+]_[0m Dumping local SAM hashes (uid:rid:lmhash:nthash)
_[1m_[34mCME_[0m 192.168.XXX.XXX:445 SRV-XXXXXX _[1m_[33m
_[1m_[34mCME_[0m 192.168.XXX.XXX:445 SRV-XXXXXX _[1m_[33m
When running Metasploit against a server using the hash of the Administrator user.
As it can be observed during the analysis, a sniffer can be used to collect information on a wireless network, however, only running it without the use of other intrusion techniques does not guarantee complete satisfaction in obtaining more sensitive data.
As technology advances, cyber security professionals need to follow the techniques and know the vulnerabilities of their organization well. Advice from a good Pentester is essential to help identify gaps in information security and offer viable alternatives to prevent certain attacks.
It is very common for organizations to work on the reaction, however, it is important to work preventively. As can be seen from the analysis, the use of an intrusion-testing tool, even though it is not authenticated on the network, can make life easier for an attacker who is malicious.
Some professional technical limits, as well as the lack of monitoring, have provided the success of the attack and hinder the traceability in case of a successful invasion. To monitor this type of threat, it is necessary to implement security systems, such as Security Information and Event Management (SIEM), so even though it can’t be completely inhibited, it is still possible to trace and block the potential threats.
ASSOCIAÇÃO BRASILEIRA DE NORMAS TÉCNICAS. NBR ISSO/IEC 27002:2005 tecnologia da informação – técnicas de segurança – código de prática para gestão da informação. Rio de janeiro: 2005. Disponível em: http://search.4shared.com/postDownload/M0vePGU6/ISO-IEC_27002-2005.html>. Accessed: November, 27, 2017.
BAGGET, Mark – Protocolos Auxiliares: Protocolos ARP e RARP. 2000. Disponível em: < https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python>. Accessed: November, 27, 2017.
BASTA, Alfred, BASTA, Nadine, BROWN, Mary. Segurança de Computadores e Testes de Invasão. Tradução: Lizandra Magnon de Almeida. Cengage Learning Edições LTDA, 2015.
CARDOSO, L. M. Implantação da Tecnologia sem fio integrada à Filosofia de Trabalho JIT: um estudo de caso. In: CONGRESSO DE INICIAÇÃO E PRODUÇÃO CIENTÍFICA, 8., 2005. Anais eletrônicos… São Paulo, São Bernardo do Campo: METODISTA, 2005.
CAMPOS, A. SISTEMAS DE SEGURANÇA DA INFORMAÇÃO. 2 ed. Florianopolis: Visual Books, 2007.
ENGEBRETSON, Patrick. Introdução ao hacking e aos testes de invasão. São Paulo: Novatec Editora Ltda, 2014.
GIL, Antonio Carlos. Como elaborar projetos de pesquisa. 4. ed. São Paulo: Atlas, 2008.
GODOY, Arilda Schmidt. Introdução à pesquisa qualitativa e suas possibilidades. RAE – Revista de Administração de Empresas, São Paulo, v. 35, n. 2, p. 57-63, mar./abr. 1995. Pesquisa qualitativa: tipos fundamentais. RAE – Revista de Administração de Empresas, São Paulo, v. 35, n. 3, p. 30-6, jan./fev. 1995.
NAKAMURA, E. T., & GEUS, P. L. Segurança de Redes em Ambientes Cooperativos. SÃO PAULO: NOVATEC, 2007.
PINHEIRO, J. M. S. Guia Completo de Cabeamento de Redes. Rio de Janeiro: Campus, 2003.
SOARES, F. G.; LEMOS, G.; COLCHER, S. Redes de Computadores: das LANs, MANs e WANs às redes ATM. 2. ed. Rio de Janeiro: Elsevier, 1995.
TANENBAUM, A. S. Redes de Computadores. 4. ed. Rio de Janeiro: Campus, 2003.
WEIDMAN, Georgia, Testes de Invasão: Uma introdução prática ao hacking. Tradução: Lúcia A. Kinoshita, São Paulo: Novatec Editora Ltda, 2014.
WENDT, Emerson; NOGUEIRA JORGE, Higor Vinicius; Crimes cibernéticos: ameaças e procedimentos de investigação. –Rio de Janeiro: Brasport, 2012.