Feeds

Exploit devastates WinNT/2K security

Microsoft networking nightmare

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

An application called SMBRelay, written by cDc's Sir Dystic, exploits a design flaw in the SMB (Server Message Block) protocol on Win NT/2K boxes, easily enabling an attacker to interpose himself between the client and the server.

The program enables access to the server using the client's authentication by acting as a 'man in the middle' to both. For this reason it's quite difficult to defend against, unless a user blocks port 139 -- which is needed for NetBIOS sessions and therefore not practical for networked boxes -- or by using NTLMv2 which employs 128bit encrypted keys and eliminates LANMAN (NT LAN Manager, or NTLM) hashes for NT clients.

However, if port 139 is available and the network is enabled without NTLMv2 -- a situation which probably describes hundreds of thousands of boxes connected to the Net -- the SMBRelay program will likely work.

In that case, "the target's client is disconnected and the attacker remains connected to the target's server as whatever user the target is logged in as, hijacking the connection," the author explains.

"SMBRelay collects the NTLM password hashes transmitted and writes them to hashes.txt in a format usable by L0phtcrack so the passwords can be cracked later."

A second version of SMBRelay which works across any protocol NetBIOS is bound to is also available on the SMBRelay Web page cited above.

Backward compatibility

MS may tout itself as the world's most 'forward-looking' company and crown jewel of the New Economy, but its continuing support of a ten-year-old protocol with serious design flaws is very much about ancient history.

"The problem is that from a marketing standpoint, Microsoft wants their products to have as much backward compatibility as possible; but by continuing to use protocols that have known issues, they continue to leave their customers at risk to exploitation," Sir Dystic told The Register.

"These are, yet again, known issues that have existed since day one of this protocol. This is not a bug but a fundamental design flaw. To assume that nobody has used this method to exploit people is silly; it took me less than two weeks to write SMBRelay," he added.

It's backward compatibility that has MS in a trap now. "NTLMv2 was created to address many of these issues, and if Windows came configured to use only NTLMv2 these would not be issues, unless the user knowingly opened himself up to allow communication with older operating systems," Sir Dystic noted.

And here's an additional alarming detail: "Do not assume that because you have a firewall you are safe, because as soon as a host inside that firewall is compromised, even a UNIX or Win9x box, this method can be used to compromise any host that is within broadcast range, on the same LAN," he warns.

Home users should disable NetBIOS and make sure their firewall is blocking traffic to and from port 139. Also, "if a box is only used as a workstation, disable the server service," Sir Dystic suggests.

However, if for some reason it's necessary for you to use the many thrilling features of Windows networking without NTLMv2, then there is absolutely nothing you can do but pray. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.