SlideShare a Scribd company logo

Hot potato Privilege Escalation

Sunny Neo
Sunny Neo

Hot Potato is a tool that combines three vulnerabilities - NetBIOS Name Service spoofing, Web Proxy Auto-Discovery Protocol man-in-the-middle attacks, and HTTP to SMB relaying - to perform privilege escalation on Windows systems. It takes advantage of legacy Windows protocols like NetBIOS and WPAD to trick applications into sending NTLM authentication credentials over HTTP, which are then relayed back over SMB to authenticate at a higher privilege level. Microsoft released patches in 2016 to address issues like local HTTP to SMB relaying and secure WPAD resolution. Disabling vulnerable legacy protocols, requiring SMB signing, and using more secure authentication methods like NTLMv2 or Kerberos can help prevent such privilege escalation attacks.

Technology
1 of 15
Hot Potato Privilege Escalation Sunny Neo
Hot Potato • Tool released by Stephen Breen @ FoxGlove Security • Combined 3 vulnerabilities to perform Privilege Escalation • NetBIOS Name Service (NBNS) Spoofing • Web Proxy Auto-Discovery Protocol (WPAD) Man In The Middle Attack • HTTP-> SMB Relay 2
NetBIOS over TCP/IP • Enabled by Default for Windows • Legacy API that provides services pertaining to Layer 5 (session) of OSI • Enables applications on different machines within local network to communicate • Provides 3 Types of Services • Name Service (UDP: 137) • Datagram Service (UDP: 138) • Session Service (TCP: 139) Source: https://pentestlab.wordpress.com/tag/nbtscan/
NetBIOS Name Service Spoofing • Windows resolves domain name by the order • Local Host File @ C:WindowsSystem32driversetchosts • DNS Cache • DNS Server • Local LMHOST File @ C:WindowsSystem32driversetclmhosts.sam • Link-Local Multicast Name Resolution (LLMNR) • NetBIOS broadcast • Anyone can respond to the NetBIOS Broadcast  4
Web Proxy Auto-Discovery Protocol (WPAD) • Enables Browser to automatically configure Proxy Settings • IE will automatically look up http://WPAD/wpad.dat for proxy settings
WPAD Man in the Middle 6 Source: https://github.com/breenmachine/Potato
NTLM Authentication • Challenge – Response • 3 Types of Messages • Negotiation • Challenge • Response 7 Source: https://msdn.microsoft.com/en-us/library/cc239684.aspx
SMB -> SMB Relay • 15 years old SMB Relay/Reflection Attack Attacker MITMed the connection to legitimate SMB Server Legitimate Client (3) Client sends the Attacker the NTLM Challenge (2) Attacker connects to Client SMB service and asks for a NTLM Challenge (1) Client connects to SMB Server and asks for a NTLM Challenge (4) Attacker modifies Client’s Challenge and sends it back to Client as his own for (1) (5) Client receives (1) Challenge, encrypts it using his credential (hash) and sends it back to Attacker (6) Attacker sends back the response he receives and successfully authenticate for (2) 8
SMB -> SMB Relay • MS08-068 stops this by preventing relaying back the Challenges Keys from where they were issued – SMB to SMB Relay • Doesn’t stop cross protocol attack HTTP -> SMB Relay (Before 14 June 2016) 9
HTTP-> SMB Relay • IE supports Integrated Windows Authentication (NTLM Authentication) • Automatic Logon is enabled by default for Intranet Zone • Localhost is part of Intranet Zone 10
Hot Potato (Windows 7) Steps 1. Start NBNS Spoofing for WPAD and start Web Server on localhost:80 2. Start Windows Defender Update (NT Authority/System) 3. WPAD settings redirect Windows Defender Update to http://localhost/GETHASHES 4. http://localhost/GETHASHES asks for NTLM authentication and connects to localhost SMB to obtain Challenge then forward it to Windows Defender Update 5. Windows Defender Update sends NTLM Response 6. Hot Potato resumes the SMB Authentication with the NTLM Response  11
Patches (MS16-075 & MS16-077) • MS16-075 • Fix local HTTP->SMB Relay • MS16-077 (BadTunnel) • WPAD resolution for auto proxy detection will not use NETBIOS • The default behavior of PAC file download is changed so that the client's domain credentials are not automatically sent in response to an NTLM or Negotiate Authentication challenge when WinHTTP requests the PAC file 12
What about LLMNR? 13
Prevention & Mitigation 1. Disable legacy protocols and broadcast protocols and WPAD 2. Require SMB Signing 3. Extended Protection For Authentication 4. NTLMv2 Hash only or Kerberos 5. Network Segmentation 14
Reference • https://foxglovesecurity.com/2016/01/16/hot-potato/ • https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning • https://technet.microsoft.com/en-us/library/cc940063.aspx • https://www.trustwave.com/Resources/SpiderLabs-Blog/Responder-2-0---Owning-Windows-Networks-part-3/ • http://findproxyforurl.com/wpad-introduction/ • https://penetrate.io/2014/06/05/netbios-name-spoofing-and-smb-it-still-works/ • http://blog.kleissner.org/?p=842 • https://msdn.microsoft.com/en-us/library/dd767318(v=vs.90).aspx • https://richardkok.wordpress.com/2011/02/03/wireshark-determining-a-smb-and-ntlm-version-in-a-windows-environment/ • https://www.rapid7.com/db/modules/auxiliary/server/capture/smb • http://mccltd.net/blog/?p=1252 • https://www.blackhat.com/docs/us-15/materials/us-15-Brossard-SMBv2-Sharing-More-Than-Just-Your-Files.pdf • http://www.netresec.com/?page=Blog&month=2012-07&post=WPAD-Man-in-the-Middle • http://xlab.tencent.com/en/2016/06/17/BadTunnel-A-New-Hope/ • https://www.ptsecurity.com/download/wpad_weakness_en.pdf • http://www.securityweek.com/flame-malware-hijacks-windows-update-mechanism • https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-grutzmacher.pdf

Recommended

Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
NTLM
NTLMNTLM
NTLMGuang Ying Yuan
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Rightenigma0x3
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 

Recommended

Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
NTLM
NTLMNTLM
NTLMGuang Ying Yuan
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Rightenigma0x3
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
DOS, DDOS Atakları ve Korunma Yöntemleri
DOS, DDOS Atakları ve Korunma YöntemleriDOS, DDOS Atakları ve Korunma Yöntemleri
DOS, DDOS Atakları ve Korunma YöntemleriBGA Cyber Security
 
PostgreSQL High Availability in a Containerized World
PostgreSQL High Availability in a Containerized WorldPostgreSQL High Availability in a Containerized World
PostgreSQL High Availability in a Containerized WorldJignesh Shah
 
Daos
DaosDaos
DaosUlrich Krause
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
 
Ansible - Introduction
Ansible - IntroductionAnsible - Introduction
Ansible - IntroductionStephane Manciot
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army ToolChandrapal Badshah
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerAjit Dadresa
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
MySQL Replication Overview -- PHPTek 2016
MySQL Replication Overview -- PHPTek 2016MySQL Replication Overview -- PHPTek 2016
MySQL Replication Overview -- PHPTek 2016Dave Stokes
 
DDoS Engelleme Ürünleri
DDoS Engelleme ÜrünleriDDoS Engelleme Ürünleri
DDoS Engelleme ÜrünleriBGA Cyber Security
 
Attack on Sony
Attack on SonyAttack on Sony
Attack on SonyNick Bilogorskiy
 
Intro To Privilege Elevation
Intro To Privilege ElevationIntro To Privilege Elevation
Intro To Privilege ElevationMichael Shalyt
 

More Related Content

What's hot

DOS, DDOS Atakları ve Korunma Yöntemleri
DOS, DDOS Atakları ve Korunma YöntemleriDOS, DDOS Atakları ve Korunma Yöntemleri
DOS, DDOS Atakları ve Korunma YöntemleriBGA Cyber Security
 
PostgreSQL High Availability in a Containerized World
PostgreSQL High Availability in a Containerized WorldPostgreSQL High Availability in a Containerized World
PostgreSQL High Availability in a Containerized WorldJignesh Shah
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerAjit Dadresa
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
MySQL Replication Overview -- PHPTek 2016
MySQL Replication Overview -- PHPTek 2016MySQL Replication Overview -- PHPTek 2016
MySQL Replication Overview -- PHPTek 2016Dave Stokes
 

What's hot (20)

DOS, DDOS Atakları ve Korunma Yöntemleri
DOS, DDOS Atakları ve Korunma YöntemleriDOS, DDOS Atakları ve Korunma Yöntemleri
DOS, DDOS Atakları ve Korunma Yöntemleri
 
PostgreSQL High Availability in a Containerized World
PostgreSQL High Availability in a Containerized WorldPostgreSQL High Availability in a Containerized World
PostgreSQL High Availability in a Containerized World
 
Daos
DaosDaos
Daos
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
Ansible - Introduction
Ansible - IntroductionAnsible - Introduction
Ansible - Introduction
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scanner
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
MySQL Replication Overview -- PHPTek 2016
MySQL Replication Overview -- PHPTek 2016MySQL Replication Overview -- PHPTek 2016
MySQL Replication Overview -- PHPTek 2016
 
DDoS Engelleme Ürünleri
DDoS Engelleme ÜrünleriDDoS Engelleme Ürünleri
DDoS Engelleme Ürünleri
 

Viewers also liked

Intro To Privilege Elevation
Intro To Privilege ElevationIntro To Privilege Elevation
Intro To Privilege ElevationMichael Shalyt
 
Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)
Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)
Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)Дмитрий Бумов
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Cyphort
 
Safer IoT using functional language
Safer IoT using functional languageSafer IoT using functional language
Safer IoT using functional languageKiwamu Okabe
 
How to own the world, one desktop at a time
How to own the world, one desktop at a timeHow to own the world, one desktop at a time
How to own the world, one desktop at a timeSaumil Shah
 
SecureAssist Eclipse Plug-in 導入ガイド
SecureAssist Eclipse Plug-in 導入ガイドSecureAssist Eclipse Plug-in 導入ガイド
SecureAssist Eclipse Plug-in 導入ガイドAsterisk Research, Inc.
 
SecureAssist Visual Studio Package 導入ガイド
SecureAssist Visual Studio Package 導入ガイドSecureAssist Visual Studio Package 導入ガイド
SecureAssist Visual Studio Package 導入ガイドAsterisk Research, Inc.
 
SecureAssist Enterprise Portal 導入ガイド
SecureAssist Enterprise Portal 導入ガイドSecureAssist Enterprise Portal 導入ガイド
SecureAssist Enterprise Portal 導入ガイドAsterisk Research, Inc.
 
SecureAssist Enterprise Portal APIガイド
SecureAssist Enterprise Portal APIガイドSecureAssist Enterprise Portal APIガイド
SecureAssist Enterprise Portal APIガイドAsterisk Research, Inc.
 
SecureAssist IntelliJ Plug-in 導入ガイド
SecureAssist IntelliJ Plug-in 導入ガイドSecureAssist IntelliJ Plug-in 導入ガイド
SecureAssist IntelliJ Plug-in 導入ガイドAsterisk Research, Inc.
 
The Mysteries Of JavaScript-Fu (@media Europe Edition)
The Mysteries Of JavaScript-Fu (@media Europe Edition)The Mysteries Of JavaScript-Fu (@media Europe Edition)
The Mysteries Of JavaScript-Fu (@media Europe Edition)danwrong
 
Hands-on VeriFast with STM32 microcontroller
Hands-on VeriFast with STM32 microcontrollerHands-on VeriFast with STM32 microcontroller
Hands-on VeriFast with STM32 microcontrollerKiwamu Okabe
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsPawel Rzepa
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Something About Dynamic Linking
Something About Dynamic LinkingSomething About Dynamic Linking
Something About Dynamic LinkingWang Hsiangkai
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsSaumil Shah
 

Viewers also liked (20)

Attack on Sony
Attack on SonyAttack on Sony
Attack on Sony
 
Intro To Privilege Elevation
Intro To Privilege ElevationIntro To Privilege Elevation
Intro To Privilege Elevation
 
Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)
Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)
Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
 
Safer IoT using functional language
Safer IoT using functional languageSafer IoT using functional language
Safer IoT using functional language
 
GCC GENERIC
GCC GENERICGCC GENERIC
GCC GENERIC
 
How to own the world, one desktop at a time
How to own the world, one desktop at a timeHow to own the world, one desktop at a time
How to own the world, one desktop at a time
 
SecureAssist Eclipse Plug-in 導入ガイド
SecureAssist Eclipse Plug-in 導入ガイドSecureAssist Eclipse Plug-in 導入ガイド
SecureAssist Eclipse Plug-in 導入ガイド
 
SecureAssist Visual Studio Package 導入ガイド
SecureAssist Visual Studio Package 導入ガイドSecureAssist Visual Studio Package 導入ガイド
SecureAssist Visual Studio Package 導入ガイド
 
SecureAssist Enterprise Portal 導入ガイド
SecureAssist Enterprise Portal 導入ガイドSecureAssist Enterprise Portal 導入ガイド
SecureAssist Enterprise Portal 導入ガイド
 
SecureAssist Enterprise Portal APIガイド
SecureAssist Enterprise Portal APIガイドSecureAssist Enterprise Portal APIガイド
SecureAssist Enterprise Portal APIガイド
 
SecureAssist IntelliJ Plug-in 導入ガイド
SecureAssist IntelliJ Plug-in 導入ガイドSecureAssist IntelliJ Plug-in 導入ガイド
SecureAssist IntelliJ Plug-in 導入ガイド
 
The Mysteries Of JavaScript-Fu (@media Europe Edition)
The Mysteries Of JavaScript-Fu (@media Europe Edition)The Mysteries Of JavaScript-Fu (@media Europe Edition)
The Mysteries Of JavaScript-Fu (@media Europe Edition)
 
Raspberry pi
Raspberry piRaspberry pi
Raspberry pi
 
Hands-on VeriFast with STM32 microcontroller
Hands-on VeriFast with STM32 microcontrollerHands-on VeriFast with STM32 microcontroller
Hands-on VeriFast with STM32 microcontroller
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugs
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Something About Dynamic Linking
Something About Dynamic LinkingSomething About Dynamic Linking
Something About Dynamic Linking
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec Crossroads
 

Similar to Hot potato Privilege Escalation

Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCPKonfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCPWalid Umar
 
No more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksNo more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksKhajornchol Puwarang
 
Zdalna komunikacja sieciowa - zagadnienia sieciowe
Zdalna komunikacja sieciowa - zagadnienia sieciowe Zdalna komunikacja sieciowa - zagadnienia sieciowe
Zdalna komunikacja sieciowa - zagadnienia sieciowe Agnieszka Kuba
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections Renaun Erickson
 
Understanding computer networks
Understanding computer networksUnderstanding computer networks
Understanding computer networksUC San Diego
 
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)Ericom Software
 
Sharing your-internet-connection-on-linux
Sharing your-internet-connection-on-linuxSharing your-internet-connection-on-linux
Sharing your-internet-connection-on-linuxjasembo
 
Networking For Application Developers by Roy Kim
Networking For Application Developers by Roy KimNetworking For Application Developers by Roy Kim
Networking For Application Developers by Roy KimRoy Kim
 
DNS Server configuration in cisco packet tracer
DNS Server configuration in cisco packet tracerDNS Server configuration in cisco packet tracer
DNS Server configuration in cisco packet tracerShovonKumar1
 
Websocket technology for XPages
Websocket technology for XPagesWebsocket technology for XPages
Websocket technology for XPagesCsaba Kiss
 
Simple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusSimple hybrid voice deployments with Sonus
Simple hybrid voice deployments with Sonusmscug
 
Simple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusSimple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusAdam Hand
 
Intrack14dec tips tricks_clean
Intrack14dec tips tricks_cleanIntrack14dec tips tricks_clean
Intrack14dec tips tricks_cleanchinitooo
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2Vincent Mercier
 
Dns server converted
Dns server convertedDns server converted
Dns server convertedmariymmithila
 

Similar to Hot potato Privilege Escalation (20)

Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCPKonfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCP
 
No more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksNo more ARP : Another MiTm Attacks
No more ARP : Another MiTm Attacks
 
Zdalna komunikacja sieciowa - zagadnienia sieciowe
Zdalna komunikacja sieciowa - zagadnienia sieciowe Zdalna komunikacja sieciowa - zagadnienia sieciowe
Zdalna komunikacja sieciowa - zagadnienia sieciowe
 
Setting ubuntu server sebagai pc router
Setting ubuntu server sebagai pc routerSetting ubuntu server sebagai pc router
Setting ubuntu server sebagai pc router
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections
 
Understanding computer networks
Understanding computer networksUnderstanding computer networks
Understanding computer networks
 
Rhel4
Rhel4Rhel4
Rhel4
 
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
 
Sharing your-internet-connection-on-linux
Sharing your-internet-connection-on-linuxSharing your-internet-connection-on-linux
Sharing your-internet-connection-on-linux
 
Networking For Application Developers by Roy Kim
Networking For Application Developers by Roy KimNetworking For Application Developers by Roy Kim
Networking For Application Developers by Roy Kim
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
DNS Server configuration in cisco packet tracer
DNS Server configuration in cisco packet tracerDNS Server configuration in cisco packet tracer
DNS Server configuration in cisco packet tracer
 
Websocket technology for XPages
Websocket technology for XPagesWebsocket technology for XPages
Websocket technology for XPages
 
Tcpip Intro
Tcpip IntroTcpip Intro
Tcpip Intro
 
Simple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusSimple hybrid voice deployments with Sonus
Simple hybrid voice deployments with Sonus
 
Simple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusSimple hybrid voice deployments with Sonus
Simple hybrid voice deployments with Sonus
 
Intrack14dec tips tricks_clean
Intrack14dec tips tricks_cleanIntrack14dec tips tricks_clean
Intrack14dec tips tricks_clean
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2
 
Dns server converted
Dns server convertedDns server converted
Dns server converted
 

Recently uploaded

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 

Recently uploaded (20)

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

Hot potato Privilege Escalation

  • 2. Hot Potato • Tool released by Stephen Breen @ FoxGlove Security • Combined 3 vulnerabilities to perform Privilege Escalation • NetBIOS Name Service (NBNS) Spoofing • Web Proxy Auto-Discovery Protocol (WPAD) Man In The Middle Attack • HTTP-> SMB Relay 2
  • 3. NetBIOS over TCP/IP • Enabled by Default for Windows • Legacy API that provides services pertaining to Layer 5 (session) of OSI • Enables applications on different machines within local network to communicate • Provides 3 Types of Services • Name Service (UDP: 137) • Datagram Service (UDP: 138) • Session Service (TCP: 139) Source: https://pentestlab.wordpress.com/tag/nbtscan/
  • 4. NetBIOS Name Service Spoofing • Windows resolves domain name by the order • Local Host File @ C:WindowsSystem32driversetchosts • DNS Cache • DNS Server • Local LMHOST File @ C:WindowsSystem32driversetclmhosts.sam • Link-Local Multicast Name Resolution (LLMNR) • NetBIOS broadcast • Anyone can respond to the NetBIOS Broadcast  4
  • 5. Web Proxy Auto-Discovery Protocol (WPAD) • Enables Browser to automatically configure Proxy Settings • IE will automatically look up http://WPAD/wpad.dat for proxy settings
  • 6. WPAD Man in the Middle 6 Source: https://github.com/breenmachine/Potato
  • 7. NTLM Authentication • Challenge – Response • 3 Types of Messages • Negotiation • Challenge • Response 7 Source: https://msdn.microsoft.com/en-us/library/cc239684.aspx
  • 8. SMB -> SMB Relay • 15 years old SMB Relay/Reflection Attack Attacker MITMed the connection to legitimate SMB Server Legitimate Client (3) Client sends the Attacker the NTLM Challenge (2) Attacker connects to Client SMB service and asks for a NTLM Challenge (1) Client connects to SMB Server and asks for a NTLM Challenge (4) Attacker modifies Client’s Challenge and sends it back to Client as his own for (1) (5) Client receives (1) Challenge, encrypts it using his credential (hash) and sends it back to Attacker (6) Attacker sends back the response he receives and successfully authenticate for (2) 8
  • 9. SMB -> SMB Relay • MS08-068 stops this by preventing relaying back the Challenges Keys from where they were issued – SMB to SMB Relay • Doesn’t stop cross protocol attack HTTP -> SMB Relay (Before 14 June 2016) 9
  • 10. HTTP-> SMB Relay • IE supports Integrated Windows Authentication (NTLM Authentication) • Automatic Logon is enabled by default for Intranet Zone • Localhost is part of Intranet Zone 10
  • 11. Hot Potato (Windows 7) Steps 1. Start NBNS Spoofing for WPAD and start Web Server on localhost:80 2. Start Windows Defender Update (NT Authority/System) 3. WPAD settings redirect Windows Defender Update to http://localhost/GETHASHES 4. http://localhost/GETHASHES asks for NTLM authentication and connects to localhost SMB to obtain Challenge then forward it to Windows Defender Update 5. Windows Defender Update sends NTLM Response 6. Hot Potato resumes the SMB Authentication with the NTLM Response  11
  • 12. Patches (MS16-075 & MS16-077) • MS16-075 • Fix local HTTP->SMB Relay • MS16-077 (BadTunnel) • WPAD resolution for auto proxy detection will not use NETBIOS • The default behavior of PAC file download is changed so that the client's domain credentials are not automatically sent in response to an NTLM or Negotiate Authentication challenge when WinHTTP requests the PAC file 12
  • 14. Prevention & Mitigation 1. Disable legacy protocols and broadcast protocols and WPAD 2. Require SMB Signing 3. Extended Protection For Authentication 4. NTLMv2 Hash only or Kerberos 5. Network Segmentation 14
  • 15. Reference • https://foxglovesecurity.com/2016/01/16/hot-potato/ • https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning • https://technet.microsoft.com/en-us/library/cc940063.aspx • https://www.trustwave.com/Resources/SpiderLabs-Blog/Responder-2-0---Owning-Windows-Networks-part-3/ • http://findproxyforurl.com/wpad-introduction/ • https://penetrate.io/2014/06/05/netbios-name-spoofing-and-smb-it-still-works/ • http://blog.kleissner.org/?p=842 • https://msdn.microsoft.com/en-us/library/dd767318(v=vs.90).aspx • https://richardkok.wordpress.com/2011/02/03/wireshark-determining-a-smb-and-ntlm-version-in-a-windows-environment/ • https://www.rapid7.com/db/modules/auxiliary/server/capture/smb • http://mccltd.net/blog/?p=1252 • https://www.blackhat.com/docs/us-15/materials/us-15-Brossard-SMBv2-Sharing-More-Than-Just-Your-Files.pdf • http://www.netresec.com/?page=Blog&month=2012-07&post=WPAD-Man-in-the-Middle • http://xlab.tencent.com/en/2016/06/17/BadTunnel-A-New-Hope/ • https://www.ptsecurity.com/download/wpad_weakness_en.pdf • http://www.securityweek.com/flame-malware-hijacks-windows-update-mechanism • https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-grutzmacher.pdf

Editor's Notes

  1. https://technet.microsoft.com/library/security/MS16-077 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3213 https://technet.microsoft.com/library/security/MS16-075
  2. https://pen-testing.sans.org/blog/pen-testing/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python https://blog.varonis.com/closer-look-pass-hash-part-iii-ntlm-will-get-hacked/ http://perimetergrid.com/wp/2007/11/27/smb-reflection-made-way-too-easy/
  3. https://www.blackhat.com/presentations/bh-usa-07/Moore_and_Valsmith/Presentation/bh-usa-07-moore_and_valsmith.pdf https://squirtle.googlecode.com/files/NTLM%20is%20Dead%20-%20DefCon%2016.pdf https://www.blackhat.com/docs/us-15/materials/us-15-Brossard-SMBv2-Sharing-More-Than-Just-Your-Files.pdf https://bugs.chromium.org/p/project-zero/issues/detail?id=222&redir=1
  4. https://www.blackhat.com/presentations/bh-usa-07/Moore_and_Valsmith/Presentation/bh-usa-07-moore_and_valsmith.pdf https://squirtle.googlecode.com/files/NTLM%20is%20Dead%20-%20DefCon%2016.pdf https://www.blackhat.com/docs/us-15/materials/us-15-Brossard-SMBv2-Sharing-More-Than-Just-Your-Files.pdf https://bugs.chromium.org/p/project-zero/issues/detail?id=222&redir=1
  5. Does not require administrator privilege for localhost binding < 1024
  6. https://support.microsoft.com/en-us/kb/3165191
  7. Does not require administrator privilege for localhost binding < 1024