Skip to main content

Search

Alert Annotation: Reverse IP Lookup and Remote SMB Name Mismatch

Why am I seeing this note?

DNS entries typically match host names, and when these parameters do not match it could indicate an NTLM relay attack against your Canary. What are relay attacks (1) and why would an attacker perform such an attack against a Canary? (2). These are questions we'll answer below before indicating how these attacks could be detected.

1. What are relay attacks?

NTLM relay attacks are well documented, and are a form of a Man-in-the-Middle (MitM) attack. Below are simplified images of how such an attack could take place:

1.1) An end-user connecting to a file share authenticating using NTLM

T-1.png

1.2) An attacker positions themselves between the end-user and the file share server, and intercepts and relays the connection from the end-user to the smb file share

T-2.png

1.3) An attacker identifies a Canary as a potential candidate for a NTLM relay attack, and intercepts and relays the connection from the end-user to the Canary file share

T-3.png

2. Why would an attacker perform an NTLM relay attack against a Canary?

If you haven't joined your Canary to your Active Directory domain, it should be considered, as it could lead to detection of compromised AD credentials and the relay attack covered in this post.

When a Canary is joined to AD, its possible to disable Server Signing (Also known as SMB signing), which is a control that prevents NTLM relay attacks. 

T-4.png
For an attacker to perform this attack, they need to identify hosts on a network with Server Signing disabled. Thus, we intentionally configure the Canary to allow relayed connections.

3). Source IP, Reverse IP Lookup and Remote SMB Name explained

Screenshot 1.3 (the relay attack) above contains the following:

  • A victim with IP address 192.168.20.104 and hostname DESKTOP-DAGBG62
  • An attacker with IP address 192.168.20.103 and hostname kali
  • A Canary with IP address 192.168.20.110 and hostname FS01

Examine the alert below:
T-5.png

We can observe that the Source IP (1) and Reverse IP (2) refers to the kali machine. However the Remote SMB Name refers to the victim hostname (3) - DESKTOP-DAGBG62.

If you receive this annotation it could indicate an NTLM relay/MitM attack.

 

 

Was this article helpful?
0 out of 0 found this helpful
Return to top