SSRF attack is becoming famous and gets a lot of attention this year. Our company has performed some research in this area, and we got some interesting results, some interesting nuances which can be used to create good attack vectors. I’ll show you one of them.

We know that we can force a server to perform a request via SSRF attack. Our experience shows that sending HTTP requests is one of the most frequent situations. But what can we do with it? If our target is a Java-based application on OS Windows, we can try to execute an NTLM relay attack over HTTP. Why is it possible? Because Java has an internal HTTP-client, which supports NTLM authentication by default. So we can use SSRF attack against the Java application, and it will connect to our web server. Then, our web server will demand NTLM auth and the Java app will send its credentials. Therefore, we can perform any NTLM Relay attack (including SMB Relay) or get Windows user name and password of the Java app from NTLM net hashes. For each attack, we can use Metasploit modules: ‘HTTP Client MS Credential Relayer’ (auxiliary/server/http_ntlmrelay) or ‘HTTP Client MS Credential Catcher’ (auxiliary/server/capture/http_ntlm).

Actually, it’s very strange, because other “server” applications which are based on other technologies don’t have native support for automatic NTLM authentication (for example, PHP applications). Client applications (IE, Chrome, MS Word, etc.) support it, but by default, automatic authentication is only possible in the Intranet zone. It means that credentials will only be sent to a host accessible by a short name (without dots), like “http://evil/”.
But Java doesn’t have such rules. So a Java application will perform NTLM authentication on any hosts which will demand it, even on (with dots) or (any IP address). So we are able to grab hashes while we are located anywhere in the Internet.

To sum it all up. Our experience shows that many big Java applications have different vulnerabilities which let us perform SSRF attacks. Often, they are launched under user accounts rather than as services in OS Windows. So, there we have a very good base to perform NTLM Relay attacks (including SMB relay).

SSRF + Java + Windows = Love :)

Thanks for your attention,
Alexey Tyurin (@antyurin)