Two researchers showed on the Black Hat 2015 conference that an attack via the SMB file sharing protocol known to be carried out within a local network can in fact be used to attack Windows servers hosted in the cloud.
During the Black Hat 2015 conference (Las Vegas, from 1er as of August 6), two researchers have shown that an attack technique via the SMB file-sharing protocol that was thought to only work on local networks can in fact be executed on the Internet. With this so-called SMB relay attack, a Windows computer belonging to an Active Directory domain reveals the user’s credentials when the latter consults a web page, an email in Outlook or watches a video in Windows Media Player . The attacker can then hijack these credentials to authenticate on behalf of the user on Windows servers where he has an account, including those hosted in the cloud.
In an Active Directory network, Windows computers automatically return their credentials to access various remote file sharing services, Microsoft Exchange mail servers, or SharePoint collaboration tools. This authentication information – in this case the computer name, the user name, both in clear text, and a cryptographic hash derived from the user’s password – is sent using NTLMv2 authentication protocol. In 2001, security researchers had already developed a so-called SMB relay attack: by positioning themselves between a Windows computer and a server, attackers could intercept credentials, then relay them to the server and authenticate themselves. instead of the legitimate user. But at the time, everyone thought the attack only worked locally.
Authentication configured by default in IE
Except that, in Internet Explorer, user authentication is configured by default with the option “automatic logon reserved for the intranet zone”. However, security researchers Jonathan Brossard and Hormazd Billimoria found that this option was ignored and that it was possible to trick the browser into leaking the user’s Active Directory information to the Internet – this is to say his name and the cryptographic code sequence based on his password – to transmit them to a remote SMB server controlled by hackers. The researchers were able to trace the path of a Windows-specific DLL file, used both by Internet Explorer and by many applications that can access URLs, such as Microsoft Outlook, Windows Media Player or other third-party programs. “When the application wants to access a URL, the DLL file checks the authentication information in the registry, but ignores it,” explained the researchers during their presentation.
All current versions of Windows and Internet Explorer (or still supported) are affected by the problem. “This is the first remote attack capable of potentially compromising Windows 10 and the new Microsoft Edge browser,” warned Jonathan Brossard. “We are aware of this issue and are investigating it,” a Microsoft representative said by email Thursday.
Several possible scenarios
“Once attackers get their hands on the user’s credentials, they can use them in different ways,” Brossard said. A first scenario would consist of mounting an SMB relay attack to authenticate in place of the victim on servers hosted outside the local network using a feature called “NTLM over http”, added to extend the perimeter of networks in environments cloud. In particular, hackers could access a remote shell on the server which they would then use to install malware or run programs exploiting vulnerabilities. If the remote server is an Exchange server, attackers could download the user’s entire mailbox.
Another scenario would involve breaking the sequence of cryptographic code and using it to access a Remote Desktop Protocol server. Hackers can do this by using specialized platforms or services that provide access to high computing power. A password of eight characters or less can be cracked in about two days. “And, deciphering a whole list of stolen hashes wouldn’t take any longer, since the process tests all the combinations at once,” the researcher added. Stolen Windows credentials over the Internet would also be useful to attackers who have already managed to sneak into a local network, but do not have administrative privileges. By sending a simple email message to the legitimate administrator, they could retrieve their credentials in Outlook and use the stolen hash to carry out an SMB relay attack against servers connected to the local network.
