Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NTLM authentication and SMB / WebDAV based attacks


  • Please log in to reply
8 replies to this topic

#1 _Guess_Who_

_Guess_Who_

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 10 November 2017 - 03:45 PM

There are sophisticated campaigns in which users are sent .dotm, .jpg, .png files. These are hosted on compromised servers. When the user accesses the files (including viewing of graphic files) it is stated that their NTLM hash are requested and captured. This methodology is attributed to a group called Berserk Bear / Energetic Bear (https://www.ft.com/content/8c51cdae-9298-11e7-bdfa-eda243196c2c and http://fortune.com/2017/09/06/hack-energy-grid-symantec/).

I wanted to understand how exactly dose NTLM and WebDAV fit into this. I understand SMB authentication. As most organizations deny outbound SMB traffic. It is stated that WebDAV is used to dodge the firewall deny for set for SMB. As WebDAV functions on port 80/443.

I wanted to further understand if the malicious webpage sent NTLM challenge - would the target machine reply with NTLM hash as stored on the machine of the user? or a hash which is a cryptographic output of the users actual hash? Will the users password (in hash form) actually be sent out in any scenario?

Can anyone please shed some light on these types of attacks?



BC AdBot (Login to Remove)

 


m

#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:24 PM

Posted 10 November 2017 - 04:12 PM

These authentication protocols are challenge-response authentication protocols, as explained here: https://en.wikipedia.org/wiki/NT_LAN_Manager#NTLMv2

The pure NTLM hash is not exchanged between the 2 machines.

 

If you want to see how this looks, I have a blogpost:

https://blog.didierstevens.com/2017/04/06/quickpost-using-my-bash-bunny-to-snag-creds-from-a-locked-machine/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 _Guess_Who_

_Guess_Who_
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 11 November 2017 - 04:06 AM

Thank you very much for your response. I have two separate set of questions.

 

1. My first question is related to the methodology: As per the information, users machine will try and authenticate using NTLM to an external source in case of a .png, .jpg and .dotm file(s). Is this true? Can just viewing of these files automatically in the background send NTLM response? Since the compromised server (advisory) controls the cryptographic nonce as part of challenge message - can he/she decode the response to find users password (stored as hashed NTLM on the endpoint).

 

 

Your demonstration requires physical access  to the computer, however the exploit runs using network drivers. How this translate to network exploitable vulnerability?

 

I want to see a PoC or understand the IOC (indicators of compromise) if such methodology is used. 

 

Thank you. :)

 

 

PS: These are questions from a friend of mine:

 

As discussed, below points need to be answered.
 
1)      NTLM hash used to store in the end user system.
2)      NTLM Challenge / Response – Are derived from these stored hashes but are differnet things.
3)      These challenge & responses are authentication protocols & as stated above different from NT hashes themselves.  --- IS this true?
4)      Only hits to a particular site does not mean that attaker has access to the hashes.
5)      Attacker needs to be able to SNIFF the traffic for challenge & responses i.e. he should be in ALREADY I.e. MITM Attack.- I personally don't think sniffing is required if the bad guy owns the server. Also sniffing data in WAN seems impossible.
6)      Even after getting those challenge & responses he has to go yield which password has got those responses.
 
 
Thank you for guiding me.


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:24 PM

Posted 11 November 2017 - 04:43 AM

> Since the compromised server (advisory)

 

Can you share the link to the advisory you are referring to?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 _Guess_Who_

_Guess_Who_
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 11 November 2017 - 04:45 AM

I have messaged you the links, but they are dead. Does this mean the attack works?



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:24 PM

Posted 11 November 2017 - 04:58 AM

I saw your links, but per Bleeping Computer's policies we need to discus this in this thread, and not via PM.

 

These links are not links to the advisory.

 

Did you just suffer an attack and are you investigating this now?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 _Guess_Who_

_Guess_Who_
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 11 November 2017 - 05:37 AM

I'm investigating them. There is a third party who is advising us. But I'm unable to link what they're saying to our SIEM. I'm extremely sorry to ask you this again. But the method I've described is it valid? Is this the methodology of the group i mentioned?

 

Also the incident in question is almost a year old now.



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:24 PM

Posted 11 November 2017 - 08:26 AM

Yes, there are methods to steal credentials with NTLM challenge response protocols, (but it requires cracking the challenge/response to recover the password).

There are several methods to do this. Here is a detailed description for a method that is called "Redirect to SMB" https://www.cylance.com/content/dam/cylance/pdfs/white_papers/RedirectToSMB.pdf

 

I don't know if the group you mention uses the method you try to describe. There are different methods and many actors, and there's often not a one-to-one relationship.

 

The IP address of one of the URLs you gave me appears in a malware report for a "Redirect to SMB" attack: https://www.us-cert.gov/sites/default/files/publications/MIFR-10128830_TLP_WHITE.pdf

So it's very likely that you were the target of such an attack. You will need to review your logs to try to determine if it was successful or not.

 

But standard procedure is to reset the passwords of the targeted user(s).


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 _Guess_Who_

_Guess_Who_
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 11 November 2017 - 10:33 AM

space






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users