Passwords and Permissive Outbound Firewall Rules
During security engagements, our consultants regularly encounter organisations vulnerable to password compromise. They find that while great care is often taken in relation to inbound firewall rules, outbound rule-sets are frequently overlooked.
In the following scenario, PR’s Principal Security Consultant Matt Byrne demonstrates how permissively configured outbound firewall rules or “allow all” outbound firewall rules can result in the compromise of internal users credentials and potentially impact your wider internal network / domain.
Permissive Outbound Firewall Rules – Scenario Walk Through
Our scenario begins from the attacker’s perspective. The attacker generates a Microsoft Office document (we’ve chosen MS Word) containing an image that links to an Internet facing Server Message Block (SMB) file share under the attacker’s control e.g:
In this example, the Perspective Risk logo is the remote linked image:
It’s worth noting that no Antivirus vendor will flag this content as being malicious. Ultimately, it does not contain any form of malware; we are simply abusing built-in MS Office functionality.
By way of background, MS Word .docx files are essentially archive files and can be explored in the same way as any other .zip file, the file here being:
The image below shows our extracted.docx file:
Within one of these extracted files – the “document.xml.rels” file, we can see the Universal Naming Convention (UNC) path to our image, which is the source of our password compromise:
To fully demonstrate this risk, the packet capture displayed below shows the outbound traffic triggered once the target (the user) opens the malicious document. As can be seen in the packet capture, MS Word has attempted to initiate a connection to TCP port 445 the CIFS/SMB file sharing service and performs ICMP echo requests (pings) to the remote server.
The traffic below was captured when no remote server was responding i.e. all of the traffic displayed relates to the user /victim only:
Now that we have discussed the composition of the malicious document and the client-side traffic that is triggered when it is opened, we will look at the the server/attacker side.
On the attacker’s side we are using the excellent Responder tool maintained by Laurent Gaffie. In our scenario we are using Responder to capture the incoming NTLMv2 authentication attempts via the Windows SMB service.
This screenshot details a connection to the Responder session from the victim (mradmin):
As a result of employing Network Address Translation (NAT) the 86.x.x.x IP address reflects the target organisation’s public Internet IP address, as opposed to the internal network address (192.168.1.150).
The traffic relating to the capture of the user’s NTLMv2 authentication attempt can be seen below:
Cracking the Password
Once we have captured the appropriate packets, Responder formats the victim’s response into a format suitable for cracking in the de facto password cracking tool, Hashcat:
Once we have cracked the password, we need an Internet accessible service to make use of it. We cannot make use of it directly against internal assets as they will be protected by the company’s corporate firewall. Some valid options may include:
Internet accessible Outlook Web Access portal (below) or any other Internet accessible services.
More determined attackers may attempt any of the following:
- Access your physical premises and subsequently connect to network taps in hot desk areas or meeting rooms
- Access your Wireless network or stand-up a rogue Wireless network to entice valid users to connect
- Follow employees to local coffee shops or home addresses (again Wireless attacks could be performed)
Password Compromise Remediation
As the name of this blog suggests, the simplest remediation is to implement effective outbound firewall rules. In relation to this specific attack scenario, TCP port 445 should not be permitted to exit your internal environment to the Internet.
Thought also needs to be given to protecting employee assets when working remotely. Many home broadband routers do not filter outgoing network traffic. In fact some are not even capable of it. This means that employee credentials could be compromised without an attacker ever interacting with your corporate network infrastructure.
Need help? Matt or any of team PR will be glad to assist you with any element of your cyber security. Please click here to contact us.