lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20081115222657.GA25757@jingojango.net>
Date: Sat, 15 Nov 2008 16:26:57 -0600
From: Kurt Grutzmacher <grutz@...gojango.net>
To: Andres Tarasco <atarasco@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: NTLM Multiprotocol Replay attacks

On Fri, Nov 14, 2008 at 09:37:46PM +0100, Andres Tarasco wrote:
> I have published a new proof of concept tool, named "Smbrelay3", that is
> able to replay NTLM authentication from several protocols like
> SMB/HTTP/IMAP/..
> http://www.tarasco.org/security/smbrelay/index.html

Great little tool from you guys! It's probably about time that I told
FullDisc about Squirtle since releasing it at this year's DefCon.

  http://squirtle.googlecode.com/

What's Squirtle? It's simply an authentication bridge that controls a
browser to allow an attacker to request NTLM authentication at any time
as long as their browser is running with the Squirtle Javascript. "Evil
Agents" begin their authentication requests against different servers or
workstations,, pass Squirtle a session ID and the relevant details to 
complete authentication (flags, nonce, server, domain, etc) and wait for 
the Type 3 response.

I've dubbed this attack "Pass The Dutchie" since we're using an already 
rolled group of hashes and are ready to pass them around to our friends.

Current "Evil Agent" support I've written:

 - NTLMAPS - HTTP proxy w/ NTLM support (plus pass-the-hash enabled)
 - IMAP Mirror - Download all IMAP folders of a victim
 - Metasploit 3.2 - PSExec against domain controllers? Yeah!

Per HD's blog post and your source code comment, MS08-068 only limits an
attackerfrom attempting to connect back to the user's workstation where
authentication began. Not a problem for Squirtle since you can attack
anything the victim has access to. Domain Admin clicked that link? Yeah,
the game is over.

If the DeepSec videos are published by Help Net Security you will see the
latest talk on Squirtle/NTLM SSO and view the demo attacks. I'll put
some video examples of Squirtle up before the end of the week.

-- 
                 ..:[ grutz at jingojango dot net ]:..
     GPG fingerprint: 5FD6 A27D 63DB 3319 140F  B3FB EC95 2A03 8CB3 ECB4
	"There's just no amusing way to say, 'I have a CISSP'."

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ