SMB Relay and Network Scanner Attacks
SMBRelay With No Action and Attacking Network Scanners ( Kaspersky AV 0-day)
When we talk about SMB Relay attacks, we describe some actions from an attacker which make the incoming NTLM authentication process from server “A” possible, and then relay it to server “B”.
The attacker becomes successfully authenticated on server “B” by using the account from server “A”.
We have already described this type of action that initializes authentication process from server “A” by using ERP functions or RDBMS stored procedures. There are many ways for server “A” to make SMB connection to attacker.
SMBRelay with No Action
In this post I will talk about situations where the attacker may do nothing. In these cases server “A” makes a connection via SMB by itself without any manipulations. How can that be? Very simply.
In big corporate networks there can be some servers with software that does an automated scan of the subnet for some purpose. This scan uses an SMB protocol and, of course, NTLM authentication. If an attacker’s host is in the same subnet, he can complete the relay. Attackers just need to be patient.
Attack!!!
Which system is affected? It can be any of the client-server systems. It can be a DLP server that works with agents on workstations via SMB, or it can be the Antivirus which tries to deploy a remote agent and do other things. Here are some real examples that can prove this theory:
1. GFI LanGuard
It is very useful tool for Security Administrators. This software has a function that can grab all info from a target by using the Domain account, and it also has a schedule.
If an administrator has to install it on server “A” and configure it for scanning a subnet by a schedule (one scan in a week) with an account that has local or (worse) domain admin rights, there is a hole.
A malicious user can install a fake SMB server on his PC and relay the credentials to gain full access to the network.
2. Kaspersky AV
