CVE-2019-1019: Bypass SMB singing for unpatched machines #635
Conversation
|
Hey @msimakov Thanks for the PR.. Was very much looking forward for you to add your discoveries ;). Clever addition to the previous one (CVE-2015-0005), congrats. I'll be testing it today. Windows SMB Clients still not working? (throwing INVALID_PARAMETER on your side?) |
|
Hi @asolino Thanks, glad to contribute ;) Let me know if you run into any issues. |
|
Having some problems making it work @msimakov I'm adding some comments in your code |
| res = NTLMAuthChallengeResponse() | ||
| res.fromString(authenticateMessageBlob) | ||
|
|
||
| new_auth_blob = hexlify(authenticateMessageBlob)[0:144] + b'00000000000000000000000000000000' + hexlify(authenticateMessageBlob)[176:] |
There was a problem hiding this comment.
This just doesn't sound right. Are you trying to clear the previous MIC in order to calculate the HMAC_MD5 or something else?
There was a problem hiding this comment.
I'm clearing the previous MIC in order to calculate the new one (take a look at the next line - the relay_MIC)
There was a problem hiding this comment.
hi @msimakov , i am trying to use the script by myself and i am getting some errors. Basically i can see that i am able to retrieve the session key, but for some reason i cannot connect, i am using the following command just like @asolino said to use it in order to perform some tests.
by looking at wireshark on the relay endpoint i can see that, everything goes just like the article you published, but at the last message ( the one wit the new mic) i am getting Error:STATUS_INVALID_PARAMETER and the final login is failing.
Any ideas?
There was a problem hiding this comment.
Hi @zur250. Make sure to run the updated version, the file has been updated after this commit
There was a problem hiding this comment.
Thanks @msimakov for the quick answer. i am runnig Impacket v0.9.21-dev, is it the version you are talking about?
There was a problem hiding this comment.
Hey @zur250. I think you have a mix of impacket versions installed. What is the banner you get when you run ntlmrelayx.py? (at the very beginning of its execution)
There was a problem hiding this comment.
@asolino hi, the banner is the following :
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
There was a problem hiding this comment.
Ok.. so it has nothing to do with this commit commit we're writing in. It has to be a separate issue.
|
Merged! Thanks a lot @msimakov ! For those testing this, it can be run this way: Don't forget it will work only for victims connecting thru HTTP (SMB to SMB not yet supported) |
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1019
Bypassing SMB singing by removing the target in NTLMSSP_CHALLENGE messages