Sunday, April 4, 2010

Dionaea NTLMv2 support

As I know current Dionaea cannot support for NTLMv2 authentication, I have tried to make some changes to and The test is done with Metasploit MS08-067 exploit as the exploit is use NTLMv2 authentication.

The current Dionaea may process until the stage of SessionSetup AndX Request,NTLMSSP_NEGOTIATE. The response is incomplete and Wireshark showed the negotiation stop there. This is due to the lack of NTLMv2 support.

After I make some changes, with the fixed security blob content (simple method as no need to deal with GSSAPI for the moment), the NTLM authentication of Metasploit MS08-067 exploit is successfully and the shellcode has delivered. Wireshark has showed the complete NTLM negotiation and further continue the TreeConnect AndX Request.

Dionaea showed shellcode has found and profiling has performed.

Metasploit showed the exploited has completed.

p/s : this method of modication actually breaking dionaea overall function and the modication only support for the NTLM negotiation with security blob. The purpose of the modication is for testing but not the applicable patch use.

No comments:

Post a Comment