The SSRF attack gains popularity and gets a lot of attention this year. Our company has performed some research in this area, and we got some interesting results which can be used to create good attack vectors. Let me show you one of them.
We know that a server can be forced to perform a request via SSRF attack. Our experience shows that sending HTTP requests is one of the most frequent situations. But how can we deal with it? If our target is a Java-based application on OS Windows, we can try to execute an NTLM relay attack over HTTP. How is it possible? Java has an internal HTTP-client, which supports NTLM authentication by default. So we can use SSRF attack against the Java application, and it will connect to our web server. Then, our web server will demand NTLM authorization and the Java app will send its credentials. Therefore, we can perform any NTLM Relay attack (including SMB Relay) or get Windows user name and a password of the Java app from NTLM net hashes. We can use Metasploit modules for each attack: ‘HTTP Client MS Credential Relayer’ (auxiliary/server/http_ntlmrelay) or ‘HTTP Client MS Credential Catcher’ (auxiliary/server/capture/http_ntlm).
Actually, it’s very strange, because other “server” applications which are based on the other technologies don’t have a native support for the automatic NTLM authentication (for example, PHP applications). Client applications (IE, Chrome, MS Word, etc.) support it, but by default, the automatic authentication is only possible in the Intranet zone. It means that credentials will only be sent to a host accessible by a short name (without dots), like “http://evil/”.
But Java doesn’t have such rules. So a Java application will perform NTLM authentication on any hosts which will demand it, even on http://www.evil.com/ (with dots) or http://192.168.0.1 (any IP address). So we are able to grab hashes while we are located anywhere in the Internet.
To sum up, our experience shows that many big Java applications have different vulnerabilities which let us perform SSRF attacks. They are launched under user accounts more often rather than services in OS Windows. So, there we have a very good base to perform NTLM Relay attacks (including SMB relay).
SSRF + Java + Windows = Love :)
Thanks for your attention.