Friday, November 14, 2008

Squirtle Updates: IMAP, Metasploit integration complete

I just gave a talk to everyone here at DeepSec 08. Other than the weather being a bit cold and wet Vienna is awesome. Everyone seems happy to be at this conference and to share and network with each other. It's always fun giving the Squirtle talk to new audiences and see their eyes light up as they start to get why this attack matters to their environments or how they could use it on a client's penetration test.

With the conclusion of this talk I'm happy to announce that two new evil agent updates have been completed!
  • IMAP Mirroring! Download a victim's entire IMAP directory! Use social engineering, have the help desk e-mail them a new password!
  • Metasploit integration! SMB Relay an enterprise's server farm with Squirtle!
Get the latest updates from the Squirtle SVN at The MSF update is a patch against the as-of-writing-this MSF 3.2-current SVN code. If things change I'll try to keep it updated. Not sure if this is "MSF-code worthy" as it uses the JSON ruby gem vs processing the result manually. I had the library installed, didn't want to write my own parser. :P

On Nov 11th MSRC posted some information on MS08-068 implementing some changes to the NTLM protocol to neuter the SMB Relay attack and possibly (but not mentioned) Squirtle as well. I haven't had a chance to play with yet as I didn't want to possibly spoil the live demos so close to DeepSec. It's nearly time to spend the evening at Metalab so more information as it develops (I promise!)

Big thanks to everyone here at DeepSec for coordinating this one-of-kind conference. Vienna is such a beautiful place to visit, I only wish it would be earlier in the season when it's not so cold and dreary outside. I hope to come next year for DeepSec 09!

Also, look for my ugly mug to make an appearance on Help Net Security soon. It's a brief plea on using Squirtle and hopefully my excitement over reaching more people isn't too transparent. :)


CG said...
This comment has been removed by the author.
CG said...

sorry didnt read the post well enough for the first comment.

so... I'm looking forward to any information you have on how MS08-068 will effect squirtle.

Nathan Keltner said...

HDM's explanation of MS08-068: MS08-068 and Metasploit

Squirtle is actually a rather timely tool. It was also primarily designed to be used against other servers, which MS08-067 does nothing to protect.

On a related note, I saw this uploaded to milw0rm today and visited the creator's website. CG and Kurt, have either of you played with this yet?

SmbRelay3 - SMB / HTTP to SMB replay attacks

Functions implemented:

* HTTP to SMB: Negotiate authentication with an HTTP client and relay credentials to another smb host.

* SMB to SMB: Negotiate authentication with an SMB computer and relay credentials to another windows computer.

* IMAP to SMB: Negotiate authentication with an email IMAP client and relay credentials to another host.

* POP3 to SMB: Negotiate authentication with an email POP3 client and relay credentials to another host.

* SMTP to SMB: Negotiate authentication with an email SMTP client SMB computer and relay credentials.

* Psexec Module: If you already know username and password you can get a shell to the remote computer. This psexec like tool works under win32 and linux as do not use Microsoft API.

* Fake interface: Under linux, a new port 445 binding is done under a different ip address. All packets sent to that interface will be replayed to the previously authenticated system.

Nathan Keltner said...

"...which MS08-067 does nothing to protect".

Make that MS08-068, my bad.

Kurt Grutzmacher said...

Thanks Natron! I hadn't checked the metasploit blog yet. I'll make a new post with the info.

I hadn't seen the other SMBRelay yet either but it looks interesting. As HD said, NTLM attacks are quite fun. :)