Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NTLM authentication and SMB / WebDAV based attacks


  • Please log in to reply
13 replies to this topic

#1 _Guess_Who_

_Guess_Who_

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 10 November 2017 - 03:45 PM

There are sophisticated campaigns in which users are sent .dotm, .jpg, .png files. These are hosted on compromised servers. When the user accesses the files (including viewing of graphic files) it is stated that their NTLM hash are requested and captured. This methodology is attributed to a group called Berserk Bear / Energetic Bear (https://www.ft.com/content/8c51cdae-9298-11e7-bdfa-eda243196c2c and http://fortune.com/2017/09/06/hack-energy-grid-symantec/).

I wanted to understand how exactly dose NTLM and WebDAV fit into this. I understand SMB authentication. As most organizations deny outbound SMB traffic. It is stated that WebDAV is used to dodge the firewall deny for set for SMB. As WebDAV functions on port 80/443.

I wanted to further understand if the malicious webpage sent NTLM challenge - would the target machine reply with NTLM hash as stored on the machine of the user? or a hash which is a cryptographic output of the users actual hash? Will the users password (in hash form) actually be sent out in any scenario?

Can anyone please shed some light on these types of attacks?



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 10 November 2017 - 04:12 PM

These authentication protocols are challenge-response authentication protocols, as explained here: https://en.wikipedia.org/wiki/NT_LAN_Manager#NTLMv2

The pure NTLM hash is not exchanged between the 2 machines.

 

If you want to see how this looks, I have a blogpost:

https://blog.didierstevens.com/2017/04/06/quickpost-using-my-bash-bunny-to-snag-creds-from-a-locked-machine/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 _Guess_Who_

_Guess_Who_
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 11 November 2017 - 04:06 AM

Thank you very much for your response. I have two separate set of questions.

 

1. My first question is related to the methodology: As per the information, users machine will try and authenticate using NTLM to an external source in case of a .png, .jpg and .dotm file(s). Is this true? Can just viewing of these files automatically in the background send NTLM response? Since the compromised server (advisory) controls the cryptographic nonce as part of challenge message - can he/she decode the response to find users password (stored as hashed NTLM on the endpoint).

 

 

Your demonstration requires physical access  to the computer, however the exploit runs using network drivers. How this translate to network exploitable vulnerability?

 

I want to see a PoC or understand the IOC (indicators of compromise) if such methodology is used. 

 

Thank you. :)

 

 

PS: These are questions from a friend of mine:

 

As discussed, below points need to be answered.
 
1)      NTLM hash used to store in the end user system.
2)      NTLM Challenge / Response – Are derived from these stored hashes but are differnet things.
3)      These challenge & responses are authentication protocols & as stated above different from NT hashes themselves.  --- IS this true?
4)      Only hits to a particular site does not mean that attaker has access to the hashes.
5)      Attacker needs to be able to SNIFF the traffic for challenge & responses i.e. he should be in ALREADY I.e. MITM Attack.- I personally don't think sniffing is required if the bad guy owns the server. Also sniffing data in WAN seems impossible.
6)      Even after getting those challenge & responses he has to go yield which password has got those responses.
 
 
Thank you for guiding me.


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 11 November 2017 - 04:43 AM

> Since the compromised server (advisory)

 

Can you share the link to the advisory you are referring to?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 _Guess_Who_

_Guess_Who_
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 11 November 2017 - 04:45 AM

I have messaged you the links, but they are dead. Does this mean the attack works?



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 11 November 2017 - 04:58 AM

I saw your links, but per Bleeping Computer's policies we need to discus this in this thread, and not via PM.

 

These links are not links to the advisory.

 

Did you just suffer an attack and are you investigating this now?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 _Guess_Who_

_Guess_Who_
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 11 November 2017 - 05:37 AM

I'm investigating them. There is a third party who is advising us. But I'm unable to link what they're saying to our SIEM. I'm extremely sorry to ask you this again. But the method I've described is it valid? Is this the methodology of the group i mentioned?

 

Also the incident in question is almost a year old now.



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 11 November 2017 - 08:26 AM

Yes, there are methods to steal credentials with NTLM challenge response protocols, (but it requires cracking the challenge/response to recover the password).

There are several methods to do this. Here is a detailed description for a method that is called "Redirect to SMB" https://www.cylance.com/content/dam/cylance/pdfs/white_papers/RedirectToSMB.pdf

 

I don't know if the group you mention uses the method you try to describe. There are different methods and many actors, and there's often not a one-to-one relationship.

 

The IP address of one of the URLs you gave me appears in a malware report for a "Redirect to SMB" attack: https://www.us-cert.gov/sites/default/files/publications/MIFR-10128830_TLP_WHITE.pdf

So it's very likely that you were the target of such an attack. You will need to review your logs to try to determine if it was successful or not.

 

But standard procedure is to reset the passwords of the targeted user(s).


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 _Guess_Who_

_Guess_Who_
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 11 November 2017 - 10:33 AM

space



#10 _Guess_Who_

_Guess_Who_
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 19 November 2017 - 08:15 AM

After researching on the methodology used, especially use of WebDav for data (NTLM) Exfiltration. I personally feel the best defense would be at the end system where the machine  will not respond to NTLM request to any IP from outside the intranet. I see many security vendors provide this feature - Symantec - https://support.symantec.com/en_US/article.TECH104433.html. We can further harden this by deploying firewall rules on the endpoint which will respond to NTLM request to explicitly allowed IPs.

 

Can someone please review this as a defense to the stated attack? 

 

Secondly, while reviewing this attack methodology in general I've seen logs wherein an internal machine initiates connection to external IPs (not on intranet) on port 137, 139 or 445. What would a general response to this would be? Why would a machine on corporate network probe internet IPs on SMB / vulnerable ports? Has anyone seen such behavior?

 

Thank you. :) 



#11 _Guess_Who_

_Guess_Who_
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 25 November 2017 - 02:41 AM

An important information on the group: 

 

http://www.bbc.com/news/technology-42056555

 

Two IP addresses to note: 

 

188.240.220.3 & 91.121.108.153


#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 26 November 2017 - 01:15 PM

FYI: https://blog.didierstevens.com/2017/11/13/webdav-traffic-to-malicious-sites/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 _Guess_Who_

_Guess_Who_
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 26 November 2017 - 03:20 PM

This is brilliant. Thank you very much. Have a wonderful week ahead ! 



#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 12 December 2017 - 03:46 PM

You're welcome.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users