Moving Towards Normality

Two systems were tested against the Windows SMB NTLM Authentication weak nonce vulnerability PoC (from Advisory
OCHOA-2010-0209 written by Hernan Ochoa and Agustin Azubel). With FreeBSD as my Attacker system and Windows SP2 XP-64 as the target I noticed that my FreeBSD box refused to collect all the nonces with superspeed and the ruby script setup_smb_weak_nonce.rb crashed very often.. sometimes after gather as low as 2 nonces !!
WHAT N(on c/s e)nse !

But this behavior wasn't observed at all times and definitely not on all of the Target IPs.
Sometimes it just ran fine collecting some 8000 to 8001 onces. On contacting Hernan he said that both Windows and FreeBSD have anti-throttling code which prevents the system
from having multiple rapid connections to a particular port.

But still the FreeBSD system, refused to listen to port 445.
SMB Service was not running and the script was running as root. Multiple tests were done but still the weird BSD Box refused to listen on 445.

Port 445 was then switched off on another attacker Windows Box and the script was tried using ruby186-27. Though the script continued to crash but here it successfully opened 445 and was now waiting for connections.



This means there was some problem with the ruby setup on the FreeBSD system and NOT in the script.

Quickly, the already provided conn.html was used from the Victom box and pointed it to the Listening IP. After collecting fullcreds.log the question was where was /tmp in the recent cygwin-based msf ??
Was it in cygdrive/tmp ?
Hernan suggested I change the path to C:\\fullcreds.log in msf_smb_weak_nonce.rb but
I quickly migrated the fullcreds.log back to my FreeBSD box inside /tmp and launched the exploit
and the Target BOX could now see owned.txt inside its WINDOWS directory !



It's not done yet !
Now the problem was that it was just a PoC. It just placed a text file into the WINDOWS Folder.
Though the script reads :

fd = rclient.open("\\owned.txt", 'rwct')

and just creates a text file one can change this part to
../../../Documents and Settings/All Users\Start Menu\Programs\Startup
or something similar and create a batch file, exe, etc. to autorun.

On contacting, Hernan informed me that he will be releasing another modified script next week which will include a payload inclusion possibility.

Till then one can use the below modifications to maintain access to ADMIN$

===================================
In msf_smb_weak_nonce.rb
AFTER

puts "file created"

AND Just before:

		rsock.close

Put a never ending loop like :

	    loop {puts "ADMIN$ is open and I am into Infinite LOOP. Do what you want NOW !!"}

Also if you are also facing a problem of the script crashing while collecting nonces

Error Example :

setup_smb_weak_nonce.rb:38:in `write': Broken pipe (Errno::EPIPE)
        from setup_smb_weak_nonce.rb:38:in `collectnonces'
        from setup_smb_weak_nonce.rb:304

then make the below changes in setup_smb_weak_nonce.rb
Insert a delay like :

sleep(1)

before the line :

so = TCPSocket.open(host, port)

OR comment out section as below :

# 	if File.file?( nonces_filename ) then
#                File.delete( nonces_filename )
 #       end

Now put the whole script setup_smb_weak_nonce.rb into a loop.
This will prevent overwriting of the file but be careful to delete this file if you are trying on a fresh IP because the nonces obtained will be different.


After you reach file size of 141 kb (for nonces.log ) kill the script and make these changes to
setup_smb_weak_nonce.rb

	nonces_count = 1

Re-run the script now it will listen for incoming connections ..
After you are done with 1000 connections again change the
setup_smb_weak_nonce.rb back to

 	nonces_count = 8000

for future targets which might provide the nonces without crashing.

===================================

Watch Beyonce bounce !
Pounce on the nonce.