Contact us today.

Subscribe me to your mailing list

SMBRelay Bible

SMBRelay Bible 7: SSRF + Java + Windows = Love

SSRF attack is becoming famous and gets a lot of attention this year. Our company has performed some research in this area, and we got some interesting results, some interesting nuances which can be used to create good attack vectors. I’ll show you one of them.
Read more..

SMBRelay Bible 6: SMBRelay attacks on corporate users part 2

Let’s continue our talk about variants of client-side attacks and turn our attention to MS Office’s documents.As it was written in last blog post, we can create crafted Office’s document and send it to users (via e-mail for example). When a user opens it, an office program tries to connect our server and give us user’s credential.
Read more..

SMBRelay Bible 5: SMBRelay attacks on corporate users

Today we will talk about client-side attacks. An attack of a network is a progressive action. Usually, we escalate our rights step-by-step from nothing to a domain administrator. Even casual un-privileged users can give us something interesting, for example access to some shared resources.But how can we get these user rights?
Read more..

SMBRelay Bible 4: SMBrelay with no action or attacking security software ( Kaspersky AV,Symantec DLP, GFI Languard 0-days)

When we talk about SMB Relay attacks we describe some actions from attacker which make Incoming NTLM authentication process from server “A” possible and then relay it to server “B”. Finally attacker becomes successfully authenticated to server “B” by using account from server “A”. We have already described this type of actions, that initialized authentication process from server “A” by using ERP functions or RDBMS stored procedures. There are many ways for server “A” to make SMB connection to attacker.
Read more..

SMBRelay bible 3. SMBRelay by Oracle

Like in the previous post, we’ll talk about methods which need only non-privileged rights. Because we have too many ways for SMB Relay for privileged accounts, much depends from current situation and our rights.
Read more..

SMBRelay bible 2. SMBRelay by MS SQL server

Today we will talk about practical implementation of SMBRelay attack through one of the famous software which very often becomes a part of ERP systems. This is MS SQL server. The last version is 2008 (R2), but we can see 2005 and 2000 in real life too, because they take up big part of RDBMS application area. We will touch all of them.
Read more..

SMBRelay bible 1: Attacking Enterprise business (ERP)

Why are these attacks so critical for business applications and ERP systems? The well known PassTheHash vulnerabilities can be used for gaining a shell or password hashes. It is known that possibilities for passing the hash exist in many software but when penetration testing ERP, this type of attack is even more useful due to three things:
Read more..

New blog section: SMBRelay Bible

This is the first part of our encyclopedia of pass the hash / smbrealy attacks (SMBRelay Bible). The goal of this encyclopedia is to collect all possibilities of obtaining NTLM authentication for conducting SMB-relay attacks or stealing credentials.
Read more..