Sunday, May 8, 2011

ATSVC support for Dionaea

For SMB/NETBIOS hacking, one of the usual ways to execute the payload in remote machine is via Task Scheduler. In Windows environment, we could use the 'at' command to schedule the related tasks on specific time. AT command can be executed, for example:

To view the scheduled task on remote machine :
-at \\ip

To scheduled the task on 2300 hours on the remote machine:
-at \\ip 23:00 command

Recently, I take a look on the possibilities to add the ATSVC service support for Dionaea as mentioned by Markus in his blog when observed over MS11-020 vulnerability http://carnivore.it/2011/04/19/rumors. As usual procedure, with a couple of checks over MSDN and wireshark, it is interesting to observe the different between legitimate connection and Dionaea response.

Legitimate SMB connection over 2 Windows machine:
1. Negotiate Procol Request/Response
2. Session Setup AndX Request/Response with NTLMSSP authentication
3. Tree Connect AndX Request/Response
4. NT Create AndX Request/Response
5. Trans2 Request/Response......

Connection between a Windows machine and Dionaea:
1. Negotiate Protocol Request/Response
2. Session Setup AndX Request/Response with NTLMSSP authentication
3. Tree Connect AndX Request/Response
4. Tree Disconnect Request/Response

The connection would terminated after this response. How can it be?!

I spent quite some time to figure out the root cause for the issue, by checking every single packet layer, field value and etc. With quite a long time of tweaking and troubleshooting, upon the edge of nearly giving up, the NBNS queries and response which transfered even before the SMB negotiation caught my attention. I noticed that at.exe would need to have NETBIOS protocol support, which currently not available for Dionaea. Dionaea mainly support for SMB procotol which is run on Port TCP/445, whereas at.exe would require the NETBIOS support which run on port UDP/137.

To execute at.exe remotely over the network, the normal connection flow as below :
1. NBNS queries/responses
2. Negotiate Procol Request/Response
3. Sssion Setup AndX Request/Response with NTLMSSP authentication
4. Tree Connect AndX Request/Response
.....[continue]

At the initial stage, several NBSN (NETBIOS Name Services) queries will be communicated on port UDP/137 prior the SMB negotiation took place. I believe that at.exe as one of the legacy binary which existed since Window NT, would depend on NBSN queries to determine the continuity of the further action. The culprit found.

Screenshot:
Legitimate connection of 2 windows hosts

Failed connetion of Windows host and Dionaea


Move on.