A common finding in penetration tests is that clients are not properly managing egress packet filtering from their network to the internet. This post specifically talks about the dangers of allowing egress of SMB communications over port 445 to the internet, and one simple method of exploiting it to capture a user's credentials, crack them, and gain access to the network.
So what is SMB?
According to Microsoft's website, the SMB protocol is primarily used for network file sharing or network browsing. This protocol is regularly used in corporate networks to share files and folders across the network which teams can work off of. It is also common for a user's home directory to be hosted on a network file share so that it is regularly backed up and can be retrieved if damage were to occur to the user's workstation.
So where is the problem?
Microsoft has so graciously configured SMB communications, by default, to respond to authentication requests with a user's domain credentials (in a hashed format, of course). In a corporate network, this allows for seamless usage of network file shares. A user simply authenticates to their workstation with domain credentials and then every time a file share is accessed, Microsoft handles authentication in the background to ensure that the requesting user has access to the specific file share.
How can this be exploited?
Let's say we stand up our own rogue SMB server, which always requests that clients authenticate, with a pre-configured challenge such as (1122334455667788). If the challenge is the same for every NTLMv2 hash we collect, there is a lot less computation required for cracking, which is why we pre-set it in our responses. We then trick a client on the target domain into connecting to our malicious SMB server. Our server replies "hey, you need to authenticate, here is the challenge!" and the client goes "okay, here is my NTLMv2 (or v1) hash, check to see if it successfully authenticates me!" and viola, the rouge SMB server now has the user's hashed credentials. Toss them into oclHashcat or John-the-ripper with a good dictionary list, and we can begin cracking.
Attack Storyboard - From Email to Credz
The storyboard goes as follows:
- Configure a rogue SMB server (Metasploit ftw)
- Send an email with an HTML image tag, pointing to a file path on your rogue SMB server
- Wait for user to click "Download Images" in an Outlook client, capture creds
- Crack creds
Configuring a rogue SMB server
This can be easily done through the Metasploit module auxiliary/server/capture/smb (see screenshot below). You will want to set a CAINPWFILE or JOHNPWFILE to write output to a file. Also, set SRVHOST to your IP address. This server will need to be left running while waiting to capture creds. Therefore, it is best to put it in a screen or tmux session.
Note that your SMB server will need to be internet-facing, allowing inbound port 445 connections. Some ISPs block this.
Send an email with an HTML image tag
While it seems trivial, this part is the most annoying. You simply need to insert the following image tag as HTML into an email:
Where IPADDRESS is the IP address of your rogue SMB server. The path at the end (/image/signature.jpg) can be replaced with anything you want, it does not matter.
The annoying part? Finding a way to include HTML in your email body. Unfortunately, Outlook no longer provides this capability without VB script or third-party plugins. A standalone resource to use, created by one of my awesome team mates, is smbShakedown (https://github.com/NickSanzotta/smbShakedown). Usage instructions are easy to understand and can be found on the GitHub page.
Another possibility is to use an Outlook plugin. For convenience, I have written a plugin to insert HTML code, specifically SMB tags, with the click of a button. For installing and configuring this, see the blog post https://acenyethehackerguy.com/index.php/blog/outlook-smb-email-plugin/
Wait for a user to click "Download Images"
In order for this attack to be successful, the following criteria must be met:
- User must be using Outlook email client, or open the HTML content in Internet Explorer
- User must click 'download images' from the email. If they forward the email internally, including content (say to their security phishing team), the HTML content will become trusted and subsequent users will not have to click "download content". Yay more hashes for us.
- Port 445 egress must be allowed (surprisingly common)
Once a user attempts to download the image, you will see hashes captured on your SMB server, ex:
The image is highly redacted. However, your capture will contain the victim's IP address, username, domain name, LM hash, LM_CLIENT_CHALLENGE, NTHASH, and NT_CLIENT_CHALLENGE. All of these (except for the victim IP) are put together to crack the hash. To see it all put together in a crackable format, check your JOHN or CAIN output file.
The resulting hash will look like this:
I almost always use the JOHN format with Metasploit, simply because I can pass the creds straight into oclHashcat (my preferred cracking software). This article will not go into detail on how to crack passwords, but an often catch-all for cracking weak passwords is to use the rockyou.txt wordlist with Hashcat dive.rules. Also, use mode -5600 in oclHashcat for NTLMv2. Example command:
./hashcat -m 5600 smbcapture.txt wordlists/rockyou.txt -r rules/dive.rule
- -m 5600 = hashcat cracking mode, specifies NTLMv2
- Smbcapture.txt = file of hashes captured in JOHN format, output by Metasploit
- Wordlists/rockyou.txt = Selecting the wordlist rockyou.txt (from local directory wordlists)
- -r rules/dive.rule = selecting the Hashcat ruleset dive.rule (from local directory rules)
Once cracked, you will see the hash along with a password appended on the end:
Now that you have credz, check to see if any of the external portals are single-factor authentication that you can sign in to. For example, see if you can get into the VPN, OWA, or a company website. Demonstrate impact of capturing and cracking credentials, especially in a such a trivial manner.