Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hot potato Privilege Escalation

1,320 views

Published on

Break down of Hot Potato Privilege Escalation

Published in: Technology
  • Be the first to comment

Hot potato Privilege Escalation

  1. 1. Hot Potato Privilege Escalation Sunny Neo
  2. 2. Hot Potato • Tool released by Stephen Breen @ FoxGlove Security • Combined 3 vulnerabilities to perform Privilege Escalation • NetBIOS Name Service (NBNS) Spoofing • Web Proxy Auto-Discovery Protocol (WPAD) Man In The Middle Attack • HTTP-> SMB Relay 2
  3. 3. NetBIOS over TCP/IP • Enabled by Default for Windows • Legacy API that provides services pertaining to Layer 5 (session) of OSI • Enables applications on different machines within local network to communicate • Provides 3 Types of Services • Name Service (UDP: 137) • Datagram Service (UDP: 138) • Session Service (TCP: 139) Source: https://pentestlab.wordpress.com/tag/nbtscan/
  4. 4. NetBIOS Name Service Spoofing • Windows resolves domain name by the order • Local Host File @ C:WindowsSystem32driversetchosts • DNS Cache • DNS Server • Local LMHOST File @ C:WindowsSystem32driversetclmhosts.sam • Link-Local Multicast Name Resolution (LLMNR) • NetBIOS broadcast • Anyone can respond to the NetBIOS Broadcast  4
  5. 5. Web Proxy Auto-Discovery Protocol (WPAD) • Enables Browser to automatically configure Proxy Settings • IE will automatically look up http://WPAD/wpad.dat for proxy settings
  6. 6. WPAD Man in the Middle 6 Source: https://github.com/breenmachine/Potato
  7. 7. NTLM Authentication • Challenge – Response • 3 Types of Messages • Negotiation • Challenge • Response 7 Source: https://msdn.microsoft.com/en-us/library/cc239684.aspx
  8. 8. SMB -> SMB Relay • 15 years old SMB Relay/Reflection Attack Attacker MITMed the connection to legitimate SMB Server Legitimate Client (3) Client sends the Attacker the NTLM Challenge (2) Attacker connects to Client SMB service and asks for a NTLM Challenge (1) Client connects to SMB Server and asks for a NTLM Challenge (4) Attacker modifies Client’s Challenge and sends it back to Client as his own for (1) (5) Client receives (1) Challenge, encrypts it using his credential (hash) and sends it back to Attacker (6) Attacker sends back the response he receives and successfully authenticate for (2) 8
  9. 9. SMB -> SMB Relay • MS08-068 stops this by preventing relaying back the Challenges Keys from where they were issued – SMB to SMB Relay • Doesn’t stop cross protocol attack HTTP -> SMB Relay (Before 14 June 2016) 9
  10. 10. HTTP-> SMB Relay • IE supports Integrated Windows Authentication (NTLM Authentication) • Automatic Logon is enabled by default for Intranet Zone • Localhost is part of Intranet Zone 10
  11. 11. Hot Potato (Windows 7) Steps 1. Start NBNS Spoofing for WPAD and start Web Server on localhost:80 2. Start Windows Defender Update (NT Authority/System) 3. WPAD settings redirect Windows Defender Update to http://localhost/GETHASHES 4. http://localhost/GETHASHES asks for NTLM authentication and connects to localhost SMB to obtain Challenge then forward it to Windows Defender Update 5. Windows Defender Update sends NTLM Response 6. Hot Potato resumes the SMB Authentication with the NTLM Response  11
  12. 12. Patches (MS16-075 & MS16-077) • MS16-075 • Fix local HTTP->SMB Relay • MS16-077 (BadTunnel) • WPAD resolution for auto proxy detection will not use NETBIOS • The default behavior of PAC file download is changed so that the client's domain credentials are not automatically sent in response to an NTLM or Negotiate Authentication challenge when WinHTTP requests the PAC file 12
  13. 13. What about LLMNR? 13
  14. 14. Prevention & Mitigation 1. Disable legacy protocols and broadcast protocols and WPAD 2. Require SMB Signing 3. Extended Protection For Authentication 4. NTLMv2 Hash only or Kerberos 5. Network Segmentation 14
  15. 15. Reference • https://foxglovesecurity.com/2016/01/16/hot-potato/ • https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning • https://technet.microsoft.com/en-us/library/cc940063.aspx • https://www.trustwave.com/Resources/SpiderLabs-Blog/Responder-2-0---Owning-Windows-Networks-part-3/ • http://findproxyforurl.com/wpad-introduction/ • https://penetrate.io/2014/06/05/netbios-name-spoofing-and-smb-it-still-works/ • http://blog.kleissner.org/?p=842 • https://msdn.microsoft.com/en-us/library/dd767318(v=vs.90).aspx • https://richardkok.wordpress.com/2011/02/03/wireshark-determining-a-smb-and-ntlm-version-in-a-windows-environment/ • https://www.rapid7.com/db/modules/auxiliary/server/capture/smb • http://mccltd.net/blog/?p=1252 • https://www.blackhat.com/docs/us-15/materials/us-15-Brossard-SMBv2-Sharing-More-Than-Just-Your-Files.pdf • http://www.netresec.com/?page=Blog&month=2012-07&post=WPAD-Man-in-the-Middle • http://xlab.tencent.com/en/2016/06/17/BadTunnel-A-New-Hope/ • https://www.ptsecurity.com/download/wpad_weakness_en.pdf • http://www.securityweek.com/flame-malware-hijacks-windows-update-mechanism • https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-grutzmacher.pdf

×