Hot Potato is a tool that combines three vulnerabilities - NetBIOS Name Service spoofing, Web Proxy Auto-Discovery Protocol man-in-the-middle attacks, and HTTP to SMB relaying - to perform privilege escalation on Windows systems. It takes advantage of legacy Windows protocols like NetBIOS and WPAD to trick applications into sending NTLM authentication credentials over HTTP, which are then relayed back over SMB to authenticate at a higher privilege level. Microsoft released patches in 2016 to address issues like local HTTP to SMB relaying and secure WPAD resolution. Disabling vulnerable legacy protocols, requiring SMB signing, and using more secure authentication methods like NTLMv2 or Kerberos can help prevent such privilege escalation attacks.

1. Hot Potato Privilege
Escalation
Sunny Neo

2. Hot Potato
• Tool released by Stephen Breen @ FoxGlove Security
• Combined 3 vulnerabilities to perform Privilege Escalation
• NetBIOS Name Service (NBNS) Spoofing
• Web Proxy Auto-Discovery Protocol (WPAD) Man In The Middle
Attack
• HTTP-> SMB Relay
2

3. NetBIOS over TCP/IP
• Enabled by Default for Windows
• Legacy API that provides services pertaining to Layer 5 (session) of OSI
• Enables applications on different machines within local network to
communicate
• Provides 3 Types of Services
• Name Service (UDP: 137)
• Datagram Service (UDP: 138)
• Session Service (TCP: 139)
Source: https://pentestlab.wordpress.com/tag/nbtscan/

4. NetBIOS Name Service Spoofing
• Windows resolves domain name by the order
• Local Host File @ C:WindowsSystem32driversetchosts
• DNS Cache
• DNS Server
• Local LMHOST File @ C:WindowsSystem32driversetclmhosts.sam
• Link-Local Multicast Name Resolution (LLMNR)
• NetBIOS broadcast
• Anyone can respond to the NetBIOS Broadcast 
4

5. Web Proxy Auto-Discovery Protocol (WPAD)
• Enables Browser to automatically configure Proxy Settings
• IE will automatically look up http://WPAD/wpad.dat for
proxy settings

6. WPAD Man in the Middle
6
Source: https://github.com/breenmachine/Potato

7. NTLM Authentication
• Challenge – Response
• 3 Types of Messages
• Negotiation
• Challenge
• Response
7
Source: https://msdn.microsoft.com/en-us/library/cc239684.aspx

8. SMB -> SMB Relay
• 15 years old SMB Relay/Reflection Attack
Attacker MITMed the
connection to
legitimate SMB Server
Legitimate Client
(3) Client sends the Attacker the NTLM
Challenge
(2) Attacker connects to Client SMB
service and asks for a NTLM Challenge
(1) Client connects to SMB Server and
asks for a NTLM Challenge
(4) Attacker modifies Client’s Challenge and
sends it back to Client as his own for (1)
(5) Client receives (1) Challenge, encrypts it using
his credential (hash) and sends it back to Attacker
(6) Attacker sends back the response he
receives and successfully authenticate for (2)
8

9. SMB -> SMB Relay
• MS08-068 stops this by preventing relaying back the
Challenges Keys from where they were issued – SMB to SMB
Relay
• Doesn’t stop cross protocol attack HTTP -> SMB Relay
(Before 14 June 2016)
9

10. HTTP-> SMB Relay
• IE supports Integrated Windows Authentication (NTLM
Authentication)
• Automatic Logon is enabled by default for Intranet Zone
• Localhost is part of Intranet Zone
10

11. Hot Potato (Windows 7) Steps
1. Start NBNS Spoofing for WPAD and start Web Server on localhost:80
2. Start Windows Defender Update (NT Authority/System)
3. WPAD settings redirect Windows Defender Update to http://localhost/GETHASHES
4. http://localhost/GETHASHES asks for NTLM authentication and connects to localhost SMB
to obtain Challenge then forward it to Windows Defender Update
5. Windows Defender Update sends NTLM Response
6. Hot Potato resumes the SMB Authentication with the NTLM Response 
11

12. Patches (MS16-075 & MS16-077)
• MS16-075
• Fix local HTTP->SMB Relay
• MS16-077 (BadTunnel)
• WPAD resolution for auto proxy detection will not use NETBIOS
• The default behavior of PAC file download is changed so that the client's domain
credentials are not automatically sent in response to an NTLM or Negotiate
Authentication challenge when WinHTTP requests the PAC file
12

13. What about LLMNR?
13

14. Prevention & Mitigation
1. Disable legacy protocols and broadcast protocols and WPAD
2. Require SMB Signing
3. Extended Protection For Authentication
4. NTLMv2 Hash only or Kerberos
5. Network Segmentation
14

15. Reference
• https://foxglovesecurity.com/2016/01/16/hot-potato/
• https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
• https://technet.microsoft.com/en-us/library/cc940063.aspx
• https://www.trustwave.com/Resources/SpiderLabs-Blog/Responder-2-0---Owning-Windows-Networks-part-3/
• http://findproxyforurl.com/wpad-introduction/
• https://penetrate.io/2014/06/05/netbios-name-spoofing-and-smb-it-still-works/
• http://blog.kleissner.org/?p=842
• https://msdn.microsoft.com/en-us/library/dd767318(v=vs.90).aspx
• https://richardkok.wordpress.com/2011/02/03/wireshark-determining-a-smb-and-ntlm-version-in-a-windows-environment/
• https://www.rapid7.com/db/modules/auxiliary/server/capture/smb
• http://mccltd.net/blog/?p=1252
• https://www.blackhat.com/docs/us-15/materials/us-15-Brossard-SMBv2-Sharing-More-Than-Just-Your-Files.pdf
• http://www.netresec.com/?page=Blog&month=2012-07&post=WPAD-Man-in-the-Middle
• http://xlab.tencent.com/en/2016/06/17/BadTunnel-A-New-Hope/
• https://www.ptsecurity.com/download/wpad_weakness_en.pdf
• http://www.securityweek.com/flame-malware-hijacks-windows-update-mechanism
• https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-grutzmacher.pdf