Tuesday, May 17, 2016

Bypassing Symantec Endpoint SMB NTLM capture attack detection

A while back I was running Responder on a network to get some hashes. To my surprise, the incident response team pinged me and asked if alerts they were getting from Symantec Endpoint Security [SEP] was from my activities. I social engineered them a little and they ended up sending me a screen cap. The screen cap they sent me said:
Attack: SMB Sniffer Negotiate Protocol Challenge Key 2
Now when I googled that it returned a page which gives a bit more information.
URL: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26956

On that page it says:
This signature detects attempts to sniff SMB usernames and passwords through a known challenge key which can then be used to crack the passwords offline.
The key words there are "through a known challenge key". Responder uses the default challenge key of 1122334455667788 and that is how SEP detected this attack. Responder is awesome and has a config file that allows you to change the challenge key to what ever you want, which then bypasses SEP detection of the attack. The config file is found in /usr/share/responder/ on kali 2 systems, simply change the challenge key to something like 2211334455667788 and your attacks will go unnoticed by SEP. Happy hacking :)