When we talk about SMB Relay attacks we describe some actions from attacker which make Incoming NTLM authentication process from server “A” possible and then relay it to server “B”. Finally attacker becomes successfully authenticated to server “B” by using account from server “A”. We have already described this type of actions, that initialized authentication process from server “A” by using ERP functions or RDBMS stored procedures. There are many ways for server “A” to make SMB connection to attacker.
SMBrelay with no action
In this post I would talk about situations where attacker may do nothing. In these cases server “A” makes connection by SMB by itself without attacker’s manipulations. How it can be? Very simply. In big corporate networks there can be some server with some software that does automated scan of subnet for some purpose. This scan uses SMB protocol and, of course, NTLM authentication. If attacker’s host will be in the same subnet he can make Relay. Attacker needs just to wait.
Which system is affected? It can be any client-server systems. It can be DLP server that works with agents on workstations via SMB, it can be Antivirus, which tries to deploy remote agent, and do other things. Here are some real examples that can prove this theory.
1. GFI LanGuard
It is very useful tool for Security Administrators. This software has a function – to grab all info from target by using Domain account, and also it has a schedule. If an administrator has to install it on some server “A” and configure it for scanning subnet by schedule (one scan in a week) with account that has local or (worse) domain admin rights, so here is a hole. Malicious user can install fake smb server on his PC and relay this credentials to have a full access to network.
2. Kaspersky AV
Famous antivirus software has dangerous function “Scan IP subnets” that is enabled by default in Kaspersky Administration Kit (6/8). This function makes ICMP scan and also tries to use SMB protocol by using service account which can be used to run SMBrelay attack and gain full control on secured network. When we talk about Kaspersky Administration Kit 6, we must know that it is difficult for administrator to give right privileges to service account that needed by AV. By reading documentation you finally make decision that this account needs to be in Local Administrators group. By default “Scan IP subnets” scans your subnet every 7 hours. Attacker just needs to wait. As AV agent is everywhere, and server’s account has local administrator right, it is very dangerous for company but very useful for penetration testing. We have done some internal penetration-tests just by using only this 0-day vulnerability.
Update by 16 march (Just found on current pentest)
3. Symantec DLP
Symantec DLP is also vulnerable to this attack when it tries to search critical data on workstations but exploitability depends on user rights.
P.S. Kaspersky vulnerability team has answered after bug report – http://support.kaspersky.com/faq/?qid=208284121
Good Luck!Alexey Sintsov