Foxglove Security researcher Stephen Breen has demonstrated that you don’t need to exploit a 0-day or even a recently discovered vulnerability to gain the highest level of privilege available on a Windows machine (Windows 7, 8, 10, Server 2008, Server 2012).
“This is important because many organizations unfortunately rely on Windows account privileges to protect their corporate network,” Breen explained. “Often it is the case that once an attacker is able to gain high privileged access to ANY workstation or server on a Windows network, they can use this access to gain “lateral movement” and compromise other hosts on the same domain.”
He achieved it by concatenating exploits for three known vulnerabilities, some of which were discovered as far back as 2000, but were never fixed because a fix would break backward Windows compatibility.
“The exploit consists of 3 main parts, all of which are somewhat configurable through command-line switches. Each part corresponds to an already well known attack that has been in use for years,” the researcher explains and adds that part of the attack code they used was “shamelessly borrowed” from a previous PoC exploit published by Google Project Zero.
The three steps of the attack are as follows:
- NBNS spoofing (NBNS is a broadcast UDP protocol for name resolution commonly used in Windows environments)
- Setting up a fake WPAD (Web Proxy Auto-Discovery Protocol) proxy server
- NTLM relay attack.
The researcher admits that the exploit will not work always and on all Windows versions the same way.
“It is also a bit flaky sometimes, due to the quirks in how Windows handles proxy settings and the WPAD file,” he noted. “Often when the exploit doesn’t work, it is required to leave it running and wait. When Windows already has a cached entry for WPAD, or is allowing direct internet access because no WPAD was found, it could take 30-60 minutes for it to refresh the WPAD file. It is necessary to leave the exploit running and try to trigger it again later, after this time has elapsed.”
Breen says that enabling “Extended Protection for Authentication” in Windows should stop NTLM relay attacks (the last stage of the attack).
For more in-depth technical details check out this post. Exploit code for the attack can be found here.