With the conclusion of this talk I'm happy to announce that two new evil agent updates have been completed!
- IMAP Mirroring! Download a victim's entire IMAP directory! Use social engineering, have the help desk e-mail them a new password!
- Metasploit integration! SMB Relay an enterprise's server farm with Squirtle!
On Nov 11th MSRC posted some information on MS08-068 implementing some changes to the NTLM protocol to neuter the SMB Relay attack and possibly (but not mentioned) Squirtle as well. I haven't had a chance to play with yet as I didn't want to possibly spoil the live demos so close to DeepSec. It's nearly time to spend the evening at Metalab so more information as it develops (I promise!)
Big thanks to everyone here at DeepSec for coordinating this one-of-kind conference. Vienna is such a beautiful place to visit, I only wish it would be earlier in the season when it's not so cold and dreary outside. I hope to come next year for DeepSec 09!
Also, look for my ugly mug to make an appearance on Help Net Security soon. It's a brief plea on using Squirtle and hopefully my excitement over reaching more people isn't too transparent. :)
sorry didnt read the post well enough for the first comment.
so... I'm looking forward to any information you have on how MS08-068 will effect squirtle.
HDM's explanation of MS08-068: MS08-068 and Metasploit
Squirtle is actually a rather timely tool. It was also primarily designed to be used against other servers, which MS08-067 does nothing to protect.
On a related note, I saw this uploaded to milw0rm today and visited the creator's website. CG and Kurt, have either of you played with this yet?
SmbRelay3 - SMB / HTTP to SMB replay attacks
* HTTP to SMB: Negotiate authentication with an HTTP client and relay credentials to another smb host.
* SMB to SMB: Negotiate authentication with an SMB computer and relay credentials to another windows computer.
* IMAP to SMB: Negotiate authentication with an email IMAP client and relay credentials to another host.
* POP3 to SMB: Negotiate authentication with an email POP3 client and relay credentials to another host.
* SMTP to SMB: Negotiate authentication with an email SMTP client SMB computer and relay credentials.
* Psexec Module: If you already know username and password you can get a shell to the remote computer. This psexec like tool works under win32 and linux as do not use Microsoft API.
* Fake interface: Under linux, a new port 445 binding is done under a different ip address. All packets sent to that interface will be replayed to the previously authenticated system.
"...which MS08-067 does nothing to protect".
Make that MS08-068, my bad.
Thanks Natron! I hadn't checked the metasploit blog yet. I'll make a new post with the info.
I hadn't seen the other SMBRelay yet either but it looks interesting. As HD said, NTLM attacks are quite fun. :)
Post a Comment