SlideShare a Scribd company logo

Hot potato Privilege Escalation

Sunny Neo
Sunny Neo

Hot Potato is a tool that combines three vulnerabilities - NetBIOS Name Service spoofing, Web Proxy Auto-Discovery Protocol man-in-the-middle attacks, and HTTP to SMB relaying - to perform privilege escalation on Windows systems. It takes advantage of legacy Windows protocols like NetBIOS and WPAD to trick applications into sending NTLM authentication credentials over HTTP, which are then relayed back over SMB to authenticate at a higher privilege level. Microsoft released patches in 2016 to address issues like local HTTP to SMB relaying and secure WPAD resolution. Disabling vulnerable legacy protocols, requiring SMB signing, and using more secure authentication methods like NTLMv2 or Kerberos can help prevent such privilege escalation attacks.

Technology
1 of 15
Hot Potato Privilege Escalation Sunny Neo
Hot Potato • Tool released by Stephen Breen @ FoxGlove Security • Combined 3 vulnerabilities to perform Privilege Escalation • NetBIOS Name Service (NBNS) Spoofing • Web Proxy Auto-Discovery Protocol (WPAD) Man In The Middle Attack • HTTP-> SMB Relay 2
NetBIOS over TCP/IP • Enabled by Default for Windows • Legacy API that provides services pertaining to Layer 5 (session) of OSI • Enables applications on different machines within local network to communicate • Provides 3 Types of Services • Name Service (UDP: 137) • Datagram Service (UDP: 138) • Session Service (TCP: 139) Source: https://pentestlab.wordpress.com/tag/nbtscan/
NetBIOS Name Service Spoofing • Windows resolves domain name by the order • Local Host File @ C:WindowsSystem32driversetchosts • DNS Cache • DNS Server • Local LMHOST File @ C:WindowsSystem32driversetclmhosts.sam • Link-Local Multicast Name Resolution (LLMNR) • NetBIOS broadcast • Anyone can respond to the NetBIOS Broadcast  4
Web Proxy Auto-Discovery Protocol (WPAD) • Enables Browser to automatically configure Proxy Settings • IE will automatically look up http://WPAD/wpad.dat for proxy settings
WPAD Man in the Middle 6 Source: https://github.com/breenmachine/Potato
NTLM Authentication • Challenge – Response • 3 Types of Messages • Negotiation • Challenge • Response 7 Source: https://msdn.microsoft.com/en-us/library/cc239684.aspx
SMB -> SMB Relay • 15 years old SMB Relay/Reflection Attack Attacker MITMed the connection to legitimate SMB Server Legitimate Client (3) Client sends the Attacker the NTLM Challenge (2) Attacker connects to Client SMB service and asks for a NTLM Challenge (1) Client connects to SMB Server and asks for a NTLM Challenge (4) Attacker modifies Client’s Challenge and sends it back to Client as his own for (1) (5) Client receives (1) Challenge, encrypts it using his credential (hash) and sends it back to Attacker (6) Attacker sends back the response he receives and successfully authenticate for (2) 8
SMB -> SMB Relay • MS08-068 stops this by preventing relaying back the Challenges Keys from where they were issued – SMB to SMB Relay • Doesn’t stop cross protocol attack HTTP -> SMB Relay (Before 14 June 2016) 9
HTTP-> SMB Relay • IE supports Integrated Windows Authentication (NTLM Authentication) • Automatic Logon is enabled by default for Intranet Zone • Localhost is part of Intranet Zone 10
Hot Potato (Windows 7) Steps 1. Start NBNS Spoofing for WPAD and start Web Server on localhost:80 2. Start Windows Defender Update (NT Authority/System) 3. WPAD settings redirect Windows Defender Update to http://localhost/GETHASHES 4. http://localhost/GETHASHES asks for NTLM authentication and connects to localhost SMB to obtain Challenge then forward it to Windows Defender Update 5. Windows Defender Update sends NTLM Response 6. Hot Potato resumes the SMB Authentication with the NTLM Response  11
Patches (MS16-075 & MS16-077) • MS16-075 • Fix local HTTP->SMB Relay • MS16-077 (BadTunnel) • WPAD resolution for auto proxy detection will not use NETBIOS • The default behavior of PAC file download is changed so that the client's domain credentials are not automatically sent in response to an NTLM or Negotiate Authentication challenge when WinHTTP requests the PAC file 12
What about LLMNR? 13
Prevention & Mitigation 1. Disable legacy protocols and broadcast protocols and WPAD 2. Require SMB Signing 3. Extended Protection For Authentication 4. NTLMv2 Hash only or Kerberos 5. Network Segmentation 14
Reference • https://foxglovesecurity.com/2016/01/16/hot-potato/ • https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning • https://technet.microsoft.com/en-us/library/cc940063.aspx • https://www.trustwave.com/Resources/SpiderLabs-Blog/Responder-2-0---Owning-Windows-Networks-part-3/ • http://findproxyforurl.com/wpad-introduction/ • https://penetrate.io/2014/06/05/netbios-name-spoofing-and-smb-it-still-works/ • http://blog.kleissner.org/?p=842 • https://msdn.microsoft.com/en-us/library/dd767318(v=vs.90).aspx • https://richardkok.wordpress.com/2011/02/03/wireshark-determining-a-smb-and-ntlm-version-in-a-windows-environment/ • https://www.rapid7.com/db/modules/auxiliary/server/capture/smb • http://mccltd.net/blog/?p=1252 • https://www.blackhat.com/docs/us-15/materials/us-15-Brossard-SMBv2-Sharing-More-Than-Just-Your-Files.pdf • http://www.netresec.com/?page=Blog&month=2012-07&post=WPAD-Man-in-the-Middle • http://xlab.tencent.com/en/2016/06/17/BadTunnel-A-New-Hope/ • https://www.ptsecurity.com/download/wpad_weakness_en.pdf • http://www.securityweek.com/flame-malware-hijacks-windows-update-mechanism • https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-grutzmacher.pdf

Recommended

Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdflaibaarsyila
 
[AVTOKYO 2017] What is red team?
[AVTOKYO 2017] What is red team?[AVTOKYO 2017] What is red team?
[AVTOKYO 2017] What is red team?Tomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE
 
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBGA Cyber Security
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 

Recommended

Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdflaibaarsyila
 
[AVTOKYO 2017] What is red team?
[AVTOKYO 2017] What is red team?[AVTOKYO 2017] What is red team?
[AVTOKYO 2017] What is red team?Tomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE
 
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBGA Cyber Security
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshopprithaaash
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Siber Güvenlik ve Etik Hacking Sunu - 9
Siber Güvenlik ve Etik Hacking Sunu - 9Siber Güvenlik ve Etik Hacking Sunu - 9
Siber Güvenlik ve Etik Hacking Sunu - 9Murat KARA
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLCChitpong Wuttanan
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
SaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsSaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsKannan Subbiah
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill ChainPuma Security, LLC
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Basic security concepts_chapter_1
Basic security concepts_chapter_1Basic security concepts_chapter_1
Basic security concepts_chapter_1abdifatah said
 
Attack on Sony
Attack on SonyAttack on Sony
Attack on SonyNick Bilogorskiy
 
Intro To Privilege Elevation
Intro To Privilege ElevationIntro To Privilege Elevation
Intro To Privilege ElevationMichael Shalyt
 

More Related Content

What's hot

Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshopprithaaash
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Siber Güvenlik ve Etik Hacking Sunu - 9
Siber Güvenlik ve Etik Hacking Sunu - 9Siber Güvenlik ve Etik Hacking Sunu - 9
Siber Güvenlik ve Etik Hacking Sunu - 9Murat KARA
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
SaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsSaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsKannan Subbiah
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Basic security concepts_chapter_1
Basic security concepts_chapter_1Basic security concepts_chapter_1
Basic security concepts_chapter_1abdifatah said
 

What's hot (20)

Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshop
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Siber Güvenlik ve Etik Hacking Sunu - 9
Siber Güvenlik ve Etik Hacking Sunu - 9Siber Güvenlik ve Etik Hacking Sunu - 9
Siber Güvenlik ve Etik Hacking Sunu - 9
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
SaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsSaaS Challenges & Security Concerns
SaaS Challenges & Security Concerns
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Basic security concepts_chapter_1
Basic security concepts_chapter_1Basic security concepts_chapter_1
Basic security concepts_chapter_1
 

Viewers also liked

Intro To Privilege Elevation
Intro To Privilege ElevationIntro To Privilege Elevation
Intro To Privilege ElevationMichael Shalyt
 
Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)
Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)
Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)Дмитрий Бумов
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Cyphort
 
Safer IoT using functional language
Safer IoT using functional languageSafer IoT using functional language
Safer IoT using functional languageKiwamu Okabe
 
How to own the world, one desktop at a time
How to own the world, one desktop at a timeHow to own the world, one desktop at a time
How to own the world, one desktop at a timeSaumil Shah
 
SecureAssist Eclipse Plug-in 導入ガイド
SecureAssist Eclipse Plug-in 導入ガイドSecureAssist Eclipse Plug-in 導入ガイド
SecureAssist Eclipse Plug-in 導入ガイドAsterisk Research, Inc.
 
SecureAssist Visual Studio Package 導入ガイド
SecureAssist Visual Studio Package 導入ガイドSecureAssist Visual Studio Package 導入ガイド
SecureAssist Visual Studio Package 導入ガイドAsterisk Research, Inc.
 
SecureAssist Enterprise Portal 導入ガイド
SecureAssist Enterprise Portal 導入ガイドSecureAssist Enterprise Portal 導入ガイド
SecureAssist Enterprise Portal 導入ガイドAsterisk Research, Inc.
 
SecureAssist Enterprise Portal APIガイド
SecureAssist Enterprise Portal APIガイドSecureAssist Enterprise Portal APIガイド
SecureAssist Enterprise Portal APIガイドAsterisk Research, Inc.
 
SecureAssist IntelliJ Plug-in 導入ガイド
SecureAssist IntelliJ Plug-in 導入ガイドSecureAssist IntelliJ Plug-in 導入ガイド
SecureAssist IntelliJ Plug-in 導入ガイドAsterisk Research, Inc.
 
The Mysteries Of JavaScript-Fu (@media Europe Edition)
The Mysteries Of JavaScript-Fu (@media Europe Edition)The Mysteries Of JavaScript-Fu (@media Europe Edition)
The Mysteries Of JavaScript-Fu (@media Europe Edition)danwrong
 
Hands-on VeriFast with STM32 microcontroller
Hands-on VeriFast with STM32 microcontrollerHands-on VeriFast with STM32 microcontroller
Hands-on VeriFast with STM32 microcontrollerKiwamu Okabe
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsPawel Rzepa
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Something About Dynamic Linking
Something About Dynamic LinkingSomething About Dynamic Linking
Something About Dynamic LinkingWang Hsiangkai
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 

Viewers also liked (20)

Attack on Sony
Attack on SonyAttack on Sony
Attack on Sony
 
Intro To Privilege Elevation
Intro To Privilege ElevationIntro To Privilege Elevation
Intro To Privilege Elevation
 
Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)
Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)
Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
 
Safer IoT using functional language
Safer IoT using functional languageSafer IoT using functional language
Safer IoT using functional language
 
GCC GENERIC
GCC GENERICGCC GENERIC
GCC GENERIC
 
How to own the world, one desktop at a time
How to own the world, one desktop at a timeHow to own the world, one desktop at a time
How to own the world, one desktop at a time
 
SecureAssist Eclipse Plug-in 導入ガイド
SecureAssist Eclipse Plug-in 導入ガイドSecureAssist Eclipse Plug-in 導入ガイド
SecureAssist Eclipse Plug-in 導入ガイド
 
SecureAssist Visual Studio Package 導入ガイド
SecureAssist Visual Studio Package 導入ガイドSecureAssist Visual Studio Package 導入ガイド
SecureAssist Visual Studio Package 導入ガイド
 
SecureAssist Enterprise Portal 導入ガイド
SecureAssist Enterprise Portal 導入ガイドSecureAssist Enterprise Portal 導入ガイド
SecureAssist Enterprise Portal 導入ガイド
 
SecureAssist Enterprise Portal APIガイド
SecureAssist Enterprise Portal APIガイドSecureAssist Enterprise Portal APIガイド
SecureAssist Enterprise Portal APIガイド
 
SecureAssist IntelliJ Plug-in 導入ガイド
SecureAssist IntelliJ Plug-in 導入ガイドSecureAssist IntelliJ Plug-in 導入ガイド
SecureAssist IntelliJ Plug-in 導入ガイド
 
The Mysteries Of JavaScript-Fu (@media Europe Edition)
The Mysteries Of JavaScript-Fu (@media Europe Edition)The Mysteries Of JavaScript-Fu (@media Europe Edition)
The Mysteries Of JavaScript-Fu (@media Europe Edition)
 
Raspberry pi
Raspberry piRaspberry pi
Raspberry pi
 
Hands-on VeriFast with STM32 microcontroller
Hands-on VeriFast with STM32 microcontrollerHands-on VeriFast with STM32 microcontroller
Hands-on VeriFast with STM32 microcontroller
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugs
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Something About Dynamic Linking
Something About Dynamic LinkingSomething About Dynamic Linking
Something About Dynamic Linking
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
 

Similar to Hot potato Privilege Escalation

Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCPKonfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCPWalid Umar
 
No more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksNo more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksKhajornchol Puwarang
 
Zdalna komunikacja sieciowa - zagadnienia sieciowe
Zdalna komunikacja sieciowa - zagadnienia sieciowe Zdalna komunikacja sieciowa - zagadnienia sieciowe
Zdalna komunikacja sieciowa - zagadnienia sieciowe Agnieszka Kuba
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections Renaun Erickson
 
Understanding computer networks
Understanding computer networksUnderstanding computer networks
Understanding computer networksUC San Diego
 
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)Ericom Software
 
Sharing your-internet-connection-on-linux
Sharing your-internet-connection-on-linuxSharing your-internet-connection-on-linux
Sharing your-internet-connection-on-linuxjasembo
 
Networking For Application Developers by Roy Kim
Networking For Application Developers by Roy KimNetworking For Application Developers by Roy Kim
Networking For Application Developers by Roy KimRoy Kim
 
DNS Server configuration in cisco packet tracer
DNS Server configuration in cisco packet tracerDNS Server configuration in cisco packet tracer
DNS Server configuration in cisco packet tracerShovonKumar1
 
Websocket technology for XPages
Websocket technology for XPagesWebsocket technology for XPages
Websocket technology for XPagesCsaba Kiss
 
Simple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusSimple hybrid voice deployments with Sonus
Simple hybrid voice deployments with Sonusmscug
 
Simple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusSimple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusAdam Hand
 
Intrack14dec tips tricks_clean
Intrack14dec tips tricks_cleanIntrack14dec tips tricks_clean
Intrack14dec tips tricks_cleanchinitooo
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2Vincent Mercier
 
Dns server converted
Dns server convertedDns server converted
Dns server convertedmariymmithila
 

Similar to Hot potato Privilege Escalation (20)

Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCPKonfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
 
No more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksNo more ARP : Another MiTm Attacks
No more ARP : Another MiTm Attacks
 
Zdalna komunikacja sieciowa - zagadnienia sieciowe
Zdalna komunikacja sieciowa - zagadnienia sieciowe Zdalna komunikacja sieciowa - zagadnienia sieciowe
Zdalna komunikacja sieciowa - zagadnienia sieciowe
 
Setting ubuntu server sebagai pc router
Setting ubuntu server sebagai pc routerSetting ubuntu server sebagai pc router
Setting ubuntu server sebagai pc router
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections
 
Understanding computer networks
Understanding computer networksUnderstanding computer networks
Understanding computer networks
 
Rhel4
Rhel4Rhel4
Rhel4
 
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
 
Sharing your-internet-connection-on-linux
Sharing your-internet-connection-on-linuxSharing your-internet-connection-on-linux
Sharing your-internet-connection-on-linux
 
Networking For Application Developers by Roy Kim
Networking For Application Developers by Roy KimNetworking For Application Developers by Roy Kim
Networking For Application Developers by Roy Kim
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
DNS Server configuration in cisco packet tracer
DNS Server configuration in cisco packet tracerDNS Server configuration in cisco packet tracer
DNS Server configuration in cisco packet tracer
 
Websocket technology for XPages
Websocket technology for XPagesWebsocket technology for XPages
Websocket technology for XPages
 
Tcpip Intro
Tcpip IntroTcpip Intro
Tcpip Intro
 
Simple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusSimple hybrid voice deployments with Sonus
Simple hybrid voice deployments with Sonus
 
Simple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusSimple hybrid voice deployments with Sonus
Simple hybrid voice deployments with Sonus
 
Intrack14dec tips tricks_clean
Intrack14dec tips tricks_cleanIntrack14dec tips tricks_clean
Intrack14dec tips tricks_clean
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2
 
Dns server converted
Dns server convertedDns server converted
Dns server converted
 

Recently uploaded

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Hot potato Privilege Escalation

  • 2. Hot Potato • Tool released by Stephen Breen @ FoxGlove Security • Combined 3 vulnerabilities to perform Privilege Escalation • NetBIOS Name Service (NBNS) Spoofing • Web Proxy Auto-Discovery Protocol (WPAD) Man In The Middle Attack • HTTP-> SMB Relay 2
  • 3. NetBIOS over TCP/IP • Enabled by Default for Windows • Legacy API that provides services pertaining to Layer 5 (session) of OSI • Enables applications on different machines within local network to communicate • Provides 3 Types of Services • Name Service (UDP: 137) • Datagram Service (UDP: 138) • Session Service (TCP: 139) Source: https://pentestlab.wordpress.com/tag/nbtscan/
  • 4. NetBIOS Name Service Spoofing • Windows resolves domain name by the order • Local Host File @ C:WindowsSystem32driversetchosts • DNS Cache • DNS Server • Local LMHOST File @ C:WindowsSystem32driversetclmhosts.sam • Link-Local Multicast Name Resolution (LLMNR) • NetBIOS broadcast • Anyone can respond to the NetBIOS Broadcast  4
  • 5. Web Proxy Auto-Discovery Protocol (WPAD) • Enables Browser to automatically configure Proxy Settings • IE will automatically look up http://WPAD/wpad.dat for proxy settings
  • 6. WPAD Man in the Middle 6 Source: https://github.com/breenmachine/Potato
  • 7. NTLM Authentication • Challenge – Response • 3 Types of Messages • Negotiation • Challenge • Response 7 Source: https://msdn.microsoft.com/en-us/library/cc239684.aspx
  • 8. SMB -> SMB Relay • 15 years old SMB Relay/Reflection Attack Attacker MITMed the connection to legitimate SMB Server Legitimate Client (3) Client sends the Attacker the NTLM Challenge (2) Attacker connects to Client SMB service and asks for a NTLM Challenge (1) Client connects to SMB Server and asks for a NTLM Challenge (4) Attacker modifies Client’s Challenge and sends it back to Client as his own for (1) (5) Client receives (1) Challenge, encrypts it using his credential (hash) and sends it back to Attacker (6) Attacker sends back the response he receives and successfully authenticate for (2) 8
  • 9. SMB -> SMB Relay • MS08-068 stops this by preventing relaying back the Challenges Keys from where they were issued – SMB to SMB Relay • Doesn’t stop cross protocol attack HTTP -> SMB Relay (Before 14 June 2016) 9
  • 10. HTTP-> SMB Relay • IE supports Integrated Windows Authentication (NTLM Authentication) • Automatic Logon is enabled by default for Intranet Zone • Localhost is part of Intranet Zone 10
  • 11. Hot Potato (Windows 7) Steps 1. Start NBNS Spoofing for WPAD and start Web Server on localhost:80 2. Start Windows Defender Update (NT Authority/System) 3. WPAD settings redirect Windows Defender Update to http://localhost/GETHASHES 4. http://localhost/GETHASHES asks for NTLM authentication and connects to localhost SMB to obtain Challenge then forward it to Windows Defender Update 5. Windows Defender Update sends NTLM Response 6. Hot Potato resumes the SMB Authentication with the NTLM Response  11
  • 12. Patches (MS16-075 & MS16-077) • MS16-075 • Fix local HTTP->SMB Relay • MS16-077 (BadTunnel) • WPAD resolution for auto proxy detection will not use NETBIOS • The default behavior of PAC file download is changed so that the client's domain credentials are not automatically sent in response to an NTLM or Negotiate Authentication challenge when WinHTTP requests the PAC file 12
  • 14. Prevention & Mitigation 1. Disable legacy protocols and broadcast protocols and WPAD 2. Require SMB Signing 3. Extended Protection For Authentication 4. NTLMv2 Hash only or Kerberos 5. Network Segmentation 14
  • 15. Reference • https://foxglovesecurity.com/2016/01/16/hot-potato/ • https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning • https://technet.microsoft.com/en-us/library/cc940063.aspx • https://www.trustwave.com/Resources/SpiderLabs-Blog/Responder-2-0---Owning-Windows-Networks-part-3/ • http://findproxyforurl.com/wpad-introduction/ • https://penetrate.io/2014/06/05/netbios-name-spoofing-and-smb-it-still-works/ • http://blog.kleissner.org/?p=842 • https://msdn.microsoft.com/en-us/library/dd767318(v=vs.90).aspx • https://richardkok.wordpress.com/2011/02/03/wireshark-determining-a-smb-and-ntlm-version-in-a-windows-environment/ • https://www.rapid7.com/db/modules/auxiliary/server/capture/smb • http://mccltd.net/blog/?p=1252 • https://www.blackhat.com/docs/us-15/materials/us-15-Brossard-SMBv2-Sharing-More-Than-Just-Your-Files.pdf • http://www.netresec.com/?page=Blog&month=2012-07&post=WPAD-Man-in-the-Middle • http://xlab.tencent.com/en/2016/06/17/BadTunnel-A-New-Hope/ • https://www.ptsecurity.com/download/wpad_weakness_en.pdf • http://www.securityweek.com/flame-malware-hijacks-windows-update-mechanism • https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-grutzmacher.pdf

Editor's Notes

  1. https://technet.microsoft.com/library/security/MS16-077 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3213 https://technet.microsoft.com/library/security/MS16-075
  2. https://pen-testing.sans.org/blog/pen-testing/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python https://blog.varonis.com/closer-look-pass-hash-part-iii-ntlm-will-get-hacked/ http://perimetergrid.com/wp/2007/11/27/smb-reflection-made-way-too-easy/
  3. https://www.blackhat.com/presentations/bh-usa-07/Moore_and_Valsmith/Presentation/bh-usa-07-moore_and_valsmith.pdf https://squirtle.googlecode.com/files/NTLM%20is%20Dead%20-%20DefCon%2016.pdf https://www.blackhat.com/docs/us-15/materials/us-15-Brossard-SMBv2-Sharing-More-Than-Just-Your-Files.pdf https://bugs.chromium.org/p/project-zero/issues/detail?id=222&redir=1
  4. https://www.blackhat.com/presentations/bh-usa-07/Moore_and_Valsmith/Presentation/bh-usa-07-moore_and_valsmith.pdf https://squirtle.googlecode.com/files/NTLM%20is%20Dead%20-%20DefCon%2016.pdf https://www.blackhat.com/docs/us-15/materials/us-15-Brossard-SMBv2-Sharing-More-Than-Just-Your-Files.pdf https://bugs.chromium.org/p/project-zero/issues/detail?id=222&redir=1
  5. Does not require administrator privilege for localhost binding < 1024
  6. https://support.microsoft.com/en-us/kb/3165191
  7. Does not require administrator privilege for localhost binding < 1024