We find that a majority of the time internal networks allow for credentials to be passed between systems via name resolution traffic such as the Link-Local Multicast Name Resolution (LLMNR) and Netbios Name (NBT-NS) services. By listening, intercepting and manipulating name resolution traffic an attacker can redirect authentication traffic to the attacker’s machine in a Man-in-the-Middle (MitM) attack.
These multicast services (LLMNR & NBT-NS) are used to allow machines on the same subnet to communicate with each other when DNS fails. For example when a user tries to access a system and it cannot be resolved due to an error or no record then an LLMNR and/or NetBIOS request will be sent over multicast or broadcast across the network to resolve this request.
One way that we find this possible is through using a python script called Responder, which can be used to accomplish this poisoning attack. Responder also has several rogue authentication servers listening on several UDP and TCP ports. In our experience once this script is properly run it will capture an abundance of usernames and password hashes traversing the network (typically NetNTLMv2) in modern Windows environments.Capturing Credentials w/ Responder:
Responder is a very useful script that should be in every internal pentesters arsenal whether you have access to the network with your own system or not. But we will get more into that eventually! Let’s assume your attacker system has access to the internal network and you have responder installed. From this point we can simply start this script at the beginning of our assessment with the proper configuration switches set depending on your goals and hopefully watch these broadcast protocols roll on in authentication attempts to our “logs/” files!
1. Running Responder in a Basic Manner: Below is the default “Responder.conf” file that you can tweak depending on what services you want to be started when the script is run. By default all server services are set to start and act as listeners to capture various protocols traffic on the network.Once the conf file is reviewed, we can now start our Python Responder script against a network interface (-I eth0) and enable fingerprinting (-f) to identifying basic system information while traffic is intercepted and spoofing attempts occur.Below you can see that Responder was able to poison the LLMNR protocol when the (.105) host queried for an unknown name to DNS on the network. The outcome shows that Responder successfully intercepted the NTLMv2 User and Hash for the Administrator account. From this point once an adversary can obtain additional users and their hashes which can lead to several attack vectors becoming more possible via password cracking, pass the hash, SMB relay attacks, etc.If we choose to crack the hash it stores the credentials in a file in the “log/” directory that we can easily run against John the Ripper to potentially crack the hash and reveal the clear text password.
2. Running Responder with WPAD Enabled: Another way to leverage Responder is to utilize its WPAD feature. On an enterprise network often a DNS entry for “WPAD” should exist and direct users requesting access to the Internet to a proxy server that hosts a “wpad.dat” file. If no entry for this file exists and users leverage Internet Explorer on their clients then their requests could fall victim to WPAD poisoning attacks. Internet Explorer is vulnerable to these attacks due to its configuration “Autodetect proxy setting” being enabled by default. If a DNS query fails for the WPAD file due to a lack of configuration in DNS entries, then the clients request falls back to (WINS) Windows Internet Name Service which broadcasts the local network for “WPAD” on the network. This is where Responder comes in and allows the ability to spoof WPAD requests. Below is an example of running Responder with the WPad (-w) and Basic authentication prompt (-b) being enabled to capture potential credentials.Once a user on the local network attempts to reach the Internet while using Internet Explorer in this example they should receive the following basic authentication login prompt from our WPAD poisoning. This prompt then routes credentials to the responder session running and stores any captures within the “ log/” directory.
3. Running Responder in a Analyze Mode: Depending on your rules of engagement or curiosity of whether your local network utilizes these various protocols were discussing responder has a monitoring feature called Analyze. This mode is much less intrusive than other options discussed prior that actively spoof the network. By enabling the Analyze (-A) feature you can review the local network for various types of traffic including LLMNR, NBNS, WPAD, Browser, etc.This feature is sent to your running session and logged in the “Analyzer-Session.log” for further review. Ultimately Analyze mode can present a clearer picture of the networks communication and whether or not poisoning attacks could be a potential vulnerability without attempting to exploit the network.Poisoning the Network Even Though the Host is Locked!
Recently Room362 posted a blog on how an attacker with physical access to an organizations system can perform these multicast attacks with Responder by plugging in a specialized USB device even on a locked system! The blog covers the configuration of weaponizing your USB device and how USB on many systems is simply Plug in Play, meaning that even when a systems screen is locked the device can still be installed and run the specified responder command to capture traffic.
How Do I Prevent Multicast Name Resolution Poisoning?
Currently many companies and their local networks lack the proper remediation necessary in order to prevent these types of multicast communication attacks. Below are several suggestions and potential remediation approaches that could prevent these spoofing and poisoning attacks:
- Disable Broadcast Protocols: LLMNR (Link Local Multicast Name Resolution) and NBNS (NetBios Name Resolution)
- Prevent WPAD Poisoning with WPAD file entries in DNS
- Segment Local Networks with VLANS to Prevent Impact
- Ensure that only NTLMv2 is in use at a minimum and refuse LM & NTLM