Owned in 60 seconds with ZackAttack: From network guest to Windows Domain Admin

Mischievous ones, you should like this, but system engineers and admins maybe not so much. Finally the ZackAttack! tool code has been released on GitHub. Wondering what it is? It’s ‘Relaying NTLM Like Nobody’s Business.’ At Def Con 20, Zack Fasel gave a wow-factor presentation called Owned in 60 seconds: From network guest to Windows Domain Admin. It was described as:

Their systems were fully patched, their security team watching, and the amateur pentesters just delivered their “compliant” report. They thought their Windows domain was secure. They thought wrong.

….

In just one click of a link, one view of an email, or one wrong web request, this new toolset steals the identity of targeted users and leverages their access. Call your domain admins, hide your road warriors, and warn your internal users. Zack will change the way you think about Windows Active Directory Security and trust relationships driving you to further harden your systems and help you sleep at night.

There was a bit of a delay awaiting the release [PDF], so you may have been checking his site for the promised slides and code. Last week, Fasel finally released ZackAttack! in “HIGHLY ALPHA” form. He wrote that it works in proof-of-concept (PoC) mostly. “It takes a SH*T TON of work to write a custom LDAP, SMB, MS SQL, and HTTP library.” On GitHub Fasel explained, “ZackAttack! is a new Tool Set to do NTLM Authentication relaying unlike any other tool currently out there….The goal? A Firesheep esque tool for relaying NTLM auths.”

NTLM, if you don’t know, is short for NT LAN Manager which is “a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users” in a Windows network. Microsoft came out with NTLM version 2 and a security hardening guide, and then warned against using NTLM in applications altogether since “NTLM does not support any recent cryptographic methods, such as AES or SHA-256.” However it is still used for compatibility with older systems. So if you can’t disable or avoid NTLM, you might want to pay attention to ZackAttack!

In his talk, Fasel gave an overview of NTLM and vulnerabilities which have been around for so long that he believes they should have been fixed by now. Inspired by the ease in which Firesheep can hijack HTTP sessions, he wanted a tool that could easily relay hashes and pwn an entire network. The Grand Finale of his presentation was supposed to be “Zack demonstrates the ability to *externally* gain access to a Windows domain user’s exchange account simply by sending them an email along with tips on how to prevent yourself from these attacks.” Lavamunky security pointed out that the demo didn’t go exactly as was hyped, so the price of fail was tossing back some shots as “punishment.”

So how is ZackAttack! different / better? Compared to other tools…

• Supports NTLMv2 🙂
• Brings up external impact for NTLM by relaying to external Exchange Web Services servers ( think mobile phone users 🙂 )
• Custom Rogue HTTP and SMB Server funneling into a single pooled source and knows who the user is and keeps them authenticating without closing the socket.
• Rule based logic to auto-perform actions upon seing a user belonging to a group.
• When no rule exists, the rogue server holds on to the auth session as long as possible until a rule or api request comes in.
• Auto / Guided generation to creating methods to get users to auto-authenticate without interaction.
• New methods for client auto authentication including geting FF/Chrome to auto-auth via UNC SMB shares (similar to IE).
• Relaying to LDAP (critical for relaying to Domain Controllers), Exchange Web Services, and soon mssql.
• SOCKS proxy to allow NTLM relay attacks with your favorite tools (proxychains smbclient….etc).
• Focuses on not just poping the shells that traditional relays do, but leveraging dumb users as well and getting data through them.

The components include:

• The Rogue Servers – HTTP and SMB.
• These get the auth requests and keep recycling them.
• The Clients – These connect to target servers and request NTLM creds from the Rogue Servers.
• The Rules – Define auto actions to perform upon seeing a user.
• The Payloads – Methods to get users to autoauth with Integrated Windows Auth ergo not prompting the user for auth.

But “What if XYZ doesn’t work?” Fasel’s reply was, “I’m sure it doesn’t 😉 I don’t always code in Ruby, but when I do, I make sure to introduce as many bugs as possible :).”

On his lists of things to do, Fasel said he intends to post the ZackAttack slides and video soon.

**Update** The video of “DEF CON 20 Hacking Conference Presentation By – Zack Fasel – Owned in 60 Seconds” is up on the Def Con site.

Like this? Here’s more posts:

• EFF: Americans may not realize it, but many are in a face recognition database now
• Anonymizer tied to company selling TrapWire surveillance to governments
• NSA Whistleblower Drake: You’re automatically suspicious until proven otherwise
• Doubly Ludicrous: DEA war on drugs ‘failed’ so why log us via license scanners?
• Perfect, persistent, undetectable hardware backdoor
• Unblinking surveillance stare: Army’s 7-story flying football field-sized blimp
• DEFCON Kids: Hacking roller coasters and the power grid with cell phones
• Kingpin aka Joe Grand of Prototype This: The Birth of Hardware Badge Hacking
• Leak Police have gone crazy: Danger Room under fire for leaking imaginary weapon
• Microsoft & NYPD launch an all-seeing Big Brother crime & terrorism prevention system
• Hacking Humanity: Human Augmentation on the Horizon
• WikiLeaks dumps Stratfor email dirt on TrapWire, a CIA-connected global spying system
• Stealthy Wi-Fi Spy Sees You Through Walls Thanks to Your Wireless Router

Follow me on Twitter @PrivacyFanatic