SMBRelay bible 1: Attacking Enterprise business (ERP)
Why are these attacks so critical for business applications and ERP systems? The well known PassTheHash vulnerabilities can be used for gaining a shell or password hashes. It is known that possibilities for passing the hash exist in many software but when penetration testing ERP, this type of attack is even more useful due to three things:
1. Most ERP systems use domain accounts or local user accounts for running their processes. For example SAP installs with 2 usernamesadm and sap from which SAP processes running. Other ERP systems including custom also use local or domain accounts. This means that PassTheHash will generally provide needed credentials instead if NULL sessions which can be obtained if an application is running under Local Service or System accounts.
2. ERP systems have a lot of file system related functionality that allows you to conduct passthehash attack by inserting string \\fakesmb\anyfile instead of real file name stored on server. This is called PassTheHash phishing – when an attacker sets up an SMB server and try to insert this string into different fields of software and then collect requests with account hashes for the purposes of relaying them (SMBRelay)
3.And the most interesting and previously unknown feature that we found during our penetration test is cluster weakness. Most ERP systems require multiple computer resources to operate. For this reason it is common to see ERP installed in a cluster. During a security assessment it was found that the SMB relay patch from Microsoft did not protect clusters. Because of this, PassTheHash requests from one node of a cluster to another node of the cluster are possible and it is looks like you make passthehash request on the same server with the same storage. Using this bug it is possible for example to run smbrelay attack on MsSQL server on cluster just by having a user with public rights in MsSQL. Next time we will show how to make it.
So having all those 3 things together makes PassTheHash/SMBRelay a silver bullet for any ERP/Business application system during penetration tests. In next blog posts you will see a practical examples of this attacks in different systems.