SMBRelay bible 1: Attacking Enterprise business (ERP)
Why are these attacks so critical for business applications and ERP systems? The well-known Pass-the-Hash vulnerabilities can be used for gaining a shell or password hashes. It is known that possibilities for passing the hash exist in many software but talking about penetration testing ERP this type of attack is even more useful due to three things:
1. Most ERP systems use domain accounts or local user accounts for running their processes. For example SAP installs with 2 usernamesadm and sap from which SAP processes are run. Other ERP systems including the custom ones also use local or domain accounts. This means that Pass-the-Hash will generally provide demanded credentials instead of the NULL sessions which can be obtained if an application is run under the Local Service or System accounts.
2. ERP systems have a lot of file system related functionality that allows you to conduct Pass-the-Hash attack by inserting a string
\\fakesmb\anyfile instead of a real file name stored on server. This is called Pass-the-Hash phishing – when an attacker sets up an SMB server and tries to insert this string into different fields of software and then to collect requests with the account hashes for the purposes to relay them (SMB Relay)
3. The most interesting and previously unknown feature that we have found during our penetration test is the cluster weakness. Most ERP systems require multiple computer resources to operate. For this reason it is common to see ERP installed in a cluster. During a security assessment it was found that the SMB Relay patch by Microsoft did not protect clusters. Because of this, Pass-the-Hash requests from one node of a cluster to another are possible and it is looks like you make Pass-the-Hash request on the same server with the same storage. Using this bug it is possible to run SMB Relay attack on the MS SQL server on the cluster just by having a user with public rights in the MS SQL. Next time we will show eou how to make it.
So having those 3 things all together makes Pass-the-Hash/SMB Relay a silver bullet for any ERP/Business application system during penetration tests. In next blog posts you will see practical examples of this attacks in different systems.