In a way, SMB Relays are the network version of Pass the Hash attacks (which Ed Skoudis described briefly in the context of psexec in his Pen Tester's Pledge article). SMB Relay attacks allow us to grab these authentication attempts and use them to access systems on the network. These systems will typically try long lists of administrative usernames and passwords as they try to gain access to the unknown host that has mysteriously appeared on the network. In some organizations, active defense systems such as Antivirus Rogue host detection will immediately attempt to login to any host that shows up on the network. For example, software inventory systems, antivirus updates, nightly backups, software updates and patch management, desktop backups, event log collectors, and other processes will routinely connect to every host on the network, login with administrative credentials and perform some management function. Most networks have several automated systems that connect to all the hosts on the network to perform various management tasks. Even when the organization has good patch management practices, the SMB Relay attack can still get you access to critical assets. The SMB Relay attack is one of those awesome tactics that really helps penetration testers demonstrate significant risk in a target organization it is reliable, effective, and almost always works.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |