SMBv3 Vulnerability ( CVE-2020-0796 )

Yesterday Microsoft and Talos “accidentally” revealed CVE-2020-0796. It appeared and then disappeared, but remnants of the posts were left behind. Microsoft has published an advisory, and it appears the vulnerability is in SMBv3 compression.

Microsoft Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005

Fortinet Post: https://fortiguard.com/encyclopedia/ips/48773

Users are advised to disable SMBv3 & block port 137, 139, 445 inbound/outbound on firewall. Also, make sure you’re logging and monitoring!

Search for the possibly vulnerable servers using the script here:

This will be one to keep an eye out on as everyone believes this to be a “wormable” vulnerability which is already getting coined terms like “EternalBlue-er”, “CoronaBlue”, and “SMBGhost”, and “EternalDarkness.”

I will post more information as it becomes available.

Responder -> MultiRelay -> Mimikatz -> Crackmapexec ->Windows PWNage

For this post, we’re going to do a scenario-based usage of the following tools: responder, MultiRelay.py, mimikatz, and crackmapexec.

This post gained influence from “Skip Cracking Responder Hashes and Replay Them” by Dank Panda (Richard De La Cruz of Tevora).

The Scenario:

We are on the internal network of a Windows domain.
Users are Local Administrators on local workstations.
Domain Administrators have separate admin accounts from their normal accounts, but login with their Domain Administrator account on the same workstation.
We have already scanned the network with NMap and have found the live hosts.
SMB Signing is disabled on workstations
WDigest is on.
LLMNR is enabled.

The Environment:

OS: Windows Server 2008
IP: 10.0.2.15
Services: Active Directory Directory Services, DNS
Logged On Users: kcharles (domain administrator)

OS: Windows 7
IP: 10.0.2.4
Services: Local workstation
Logged On Users: sleaf (domain user/local administrator), sleafadmin (domain administrator)

OS: Windows 7
IP: 10.0.2.5
Services: Local Workstation
Logged On users: jegghead (domain user/local administrator)

OS: Kali Linux
IP: 10.0.2.6
Services: This is our attack machine.
Logged On Users: me 😉

Setting up our attack machine:

Do the usual (eg, apt-get update, apt-get upgrade)
Install crackmapexec: apt-get install crackmapexec

Let’s do this!

First, let’s setup responder. We’ll have to edit the responder settings to turn off HTTP and SMB. In Kali Linux, it can be found here: /usr/share/responder and will be named Responder.conf

We can go ahead and turn responder on. We’ll be using the flags: -I and -rv.

You can see what interface you’re using by using ifconfig:

Alright, now let’s startup responder.

responder -I eth0 -rv

If we wanted to check for machines on the subnet with SMB signing not enabled, we can use RunFinger.py which is in the responder toolset. On Kali Linux, you can find it at:

/usr/share/responder/tools named RunFinger.py

And all you’d do is:

python RunFinger.py -i 10.0.2.0/24

Now, let’s setup MultiRelay.py. This is a tool in the responder toolset. You can find it in Kali Linux at:

/usr/share/responder/tools named MultiRelay.py

We’ll start MultiRelay by pointing it at a target (-t) and using all users (-u ALL).

python MultiRelay.py -t 10.0.2.4 -u ALL

Remember that sleaf and sleafadmin are logged into this Windows 7 machine.

Now, anyone who has used Responder knows that it can take a bit to get any good traffic. We’d be waiting for someone to try to access something we can poison, so for the purpose of this demo, we’re going to have jegghead navigate to a share that doesn’t exist.

You’ll see that responder picks up on this LLMNR and poisons the request.

Now, we’ll see in our MultiRelay.py output that we’ve successfully poisoned the LLMNR request and relayed the hash of jegghead to 10.0.2.4 where she had local administrator. We now have LocalSystem privileges on 10.0.2.4.

From here, we can run commands built-in to this Responder interactive shell. For this demo, we are going to run Mimikatz.

We can do this within the shell by doing: mimi sekurlsa::logonpasswords

Here we get sleaf’s password:

And because sleaf used their admin account on the same machine, we get sleafadmin:

Woot woot. Now, we have the credentials of a domain administrator!

So, now we’ve used responder, multirelay, and mimikatz.

So why don’t we just use these credentials to remote desktop? We could if available. We can do many things. We could use Powershell sessions, wmic, and more but for now, we’ll use crackmapexec since it’s run in memory or items that aren’t often audited or monitored.

This next tool is called crackmapexec and it can be used for many uses, but we’ll focus on a few.

Let’s spray our credentials to find who’s logged in where.

We can do this by pointing crackmapexec at the subnet and passing the creds:

crackmapexec 10.0.2.0/24 -u ‘sleafadmin’ -p ‘P@ssw0rd’ –lusers

This is definitely useful if we know that the user we have compromised has local administrator on all local workstations. Let’s say sleaf was an admin that didn’t login to her admin account on her local workstation. We could use jegghead’s account to spray around the subnet looking for an admin that did.

We could also spray mimikatz trying to get credentials. To show that all you need is local administrator on the machines, we’ll use jegghead’s account. The machines that show “(Pwn3d!)” next to them mean that she’s local administrator on that machine.

crackmapexec 10.0.2.0/24 -u ‘jegghead’ -p ‘1upGirl!’ -M mimikatz

The reason you’re seeing “Waiting on x host(s)” is because the network is slow, but you’ll see jegghead was local administrator on the workstations but not the server.

Now, let’s look at some of the other features.

With the -x switch, we can run commands directly on the machine we target. We’ll be targeting the server (10.0.2.15). We’ll be running a command to ping us (10.0.2.6). I’ll have wireshark up to show the icmp packets coming back to our attack machine.

crackmapexec 10.0.2.15 -u ‘sleafadmin’ -p ‘P@ssw0rd’ -x ‘ping 10.0.2.6’

And here’s the wireshark capture:

So, there we are. A few examples of the usage of crackmapexec.

So in this demo, we’ve used responder, runfinger, multirelay, mimikatz, and crackmapexec.

Why Things Work

Remember our scenario.

Let’s go over some definitions and some quick additional information.

LLMNR (Link-Local Multicast Name Resolution) – This is a protocol based on DNS.  When trying to find a host, a Windows machine will check its host file then DNS and then LLMNR. LLMNR is limited in that it is not routable. This means only machines on the same subnet can use it. Responder essentially waits for a Windows machine to be like “Who’s X?” and Responder will be like “Oh, I’m X.” If successful, the victim will send their NTLM/NTLMv2 hashed credentials to the attacker.

SMB (Server Message Block) – This is an application layer network protocol. This protocol is mostly used for accessing shares and printers. It can run over TCP on port 445 or via NetBIOS UDP Port 137, 138 and TCP ports 137 and 139. It can also run over legacy protocols, but we won’t cover that.

NetBIOS – This  allows apps and computers on a LAN to communicate with network hardware and send data across the network.

NTLM – NT Lan Manager v2 – This is a challenge-response authentication protocol.

Wdigest – This is a protocol for sending cleartext credentials to HTTP and Simple Authentication Security Layer (SASL) applications.

Crackmapexec – This is a post-exploitation tool that allows for connecting and authenticating to multiple hosts at the same time. Everything is either run in memory, use the WinAPI calls or using the built-in Windows features.

Mimikatz – This is a post-exploitation tool that’s known for extracting plaintext passwords, hashes, and kerberos tickets from memory. “Mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets”

Responder – “A LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. “

Mitigations

Now, let’s talk how protect your organization!

  1. Make SMB Signing mandatory. Tools like crackmapexec may be able to turn this off, but you can set up auditing of this registry key so at least you have that measure. Keep in mind that some printers do not support SMB signing and that it might add some network overhead.
  2. Disable Wdigest on older machines. Newer machines (Win8/Win10/Server2k12/Server2k16) should not be vulnerable by default. Enable auditing of the registry key.
  3. Limit who has local administrator on their machines.
  4. Limit where domain administrators can login.

Thanks. If you have any questions, use my contact form or the comments section. Let me know if you liked this post.