If a windows customer cannot resolve a hostname using DNS, it volition utilisation the Link-Local Multicast Name Resolution (LLMNR) protocol to inquire neighbouring computers. LLMNR tin travel used to resolve both IPv4 in addition to IPv6 addresses.
If this fails, NetBios Name Service (NBT-NS) volition travel used. NBT-NS is a similar protocol to LLMNR that serves the same purpose. The brain divergence betwixt the 2 is NBT-NS industrial plant over IPv4 only.
On these occasions when LLMNR or NBT-NS are used to resolve a request, whatsoever host on the network who knows the IP of the host existence asked most tin reply. Even if a host replies to 1 of these requests alongside wrong information, it volition soundless travel regarded every bit legitimate.
H5N1 number of attack tools select been developed which volition reply to all of these queries inwards the hope of receiving sensitive information. Responder, developed past times Trustwave SpiderLabs, is 1 of these tools that tin respond LLMNR in addition to NBT-NS queries giving its ain IP address every bit the goal for whatsoever hostname requested.
Using Responder
To demonstrate the attack, nosotros volition travel using Kali Linux to bag the credentials of a Windows 7 user. Kali has Responder pre-installed in addition to tin travel establish at the directory “/usr/share/responder/”.By typing “responder –h” nosotros tin come across a listing of options available:
# responder -h Options: --version demonstrate program's version number in addition to leave of absence -h, --help demonstrate this assist message in addition to leave of absence -A, --analyze Analyze mode. This pick allows you lot to come across NBT-NS, BROWSER, LLMNR requests without responding. -I eth0, --interface=eth0 Network interface to utilisation -b, --basic Return a Basic HTTP authentication. Default: NTLM -r, --wredir Enable answers for netbios wredir suffix queries. Answering to wredir volition probable intermission materials on the network. Default: False -d, --NBTNSdomain Enable answers for netbios domain suffix queries. Answering to domain suffixes volition probable intermission materials on the network. Default: False -f, --fingerprint This pick allows you lot to fingerprint a host that issued an NBT-NS or LLMNR query. -w, --wpad Start the WPAD rogue proxy server. Default value is False -u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY Upstream HTTP proxy used past times the rogue WPAD Proxy for outgoing requests (format: host:port) -F, --ForceWpadAuth Force NTLM/Basic authentication on wpad.dat file retrieval. This may crusade a login prompt. Default: False --lm Force LM hashing downgrade for Windows XP/2003 in addition to earlier. Default: False -v, --verbose Increase verbosity.For our first demonstration, the only arguments nosotros demand to provide to Responder are the interface nosotros want to run it on:
# responder –I eth0
With this running, if a customer instantly tries to resolve a refer non inwards the DNS, our instance of Responder should toxicant the LLMNR in addition to NBT-NS requests that are sent out.
Now on a Windows 7 machine, nosotros volition asking a network resources that does non be inside our DNS. For this example, nosotros volition utilisation the file explorer in addition to asking access to a network resources “\\fielshare”.
If a user accidentally typed this instead of a legitimate hostname inwards the DNS which could travel “\\fileshare” Responder should order that its IP is the place of “fielshare”. The Windows 7 machine volition so seek to connect to “\\fielshare” using SMB which it believes is located on the Kali host. The SMB procedure volition send the Windows 7 username in addition to hashed password to the Kali host.
Above, you lot tin come across Responder has sent a poisoned respond to the LLMNR asking sent past times our Windows 7 machine for the refer “fielshare”. The Windows 7 machine so tried to connect to our rogue SMB server, thinking it was the host “fielshare” in addition to thus provided their username in addition to hashed password.
If nosotros hold off at the packets, nosotros tin come across each pace of the process:
In bundle number nine nosotros tin come across the Windows 7 machine (192.168.1.101) sending a multicast question using the LLMNR protocol to resolve the refer “fielshare”. Packet xi shows the Kali machine (192.168.1.102) responding in addition to maxim fielshare tin travel establish at 192.168.100.102, its ain IP address.
Packet seventeen so shows the Windows 7 host sending a SMB connecter request. From packets xix in addition to twenty-one to twenty-nine you lot tin come across the SMB process. The Windows 7 host is supplying their credentials to the Kali host inwards bundle twenty-three.
This type method of laid on volition solely run if the hostname that the customer wants to connect to cannot travel resolved past times DNS.
WPAD
H5N1 to a greater extent than reliable agency to larn usernames in addition to password hashes is through the WPAD protocol. If a browser is configured to automatically regain proxy settings, so it volition brand utilisation of WPAD protocol to seek in addition to locate in addition to download the wpad.dat Proxy Auto-Config (PAC) file. H5N1 PAC file defines proxy servers that a spider web browser should utilisation for dissimilar URLs.The WPAD protocol industrial plant through attempting to resolve the hostname "wpad"through a serial of refer requests. Further data on why this tin travel a safety number tin travel establish at https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol#Security.
By default, Internet Explorer has WPAD enabled:
Google Chrome in addition to Firefox are configured past times default to utilisation the systems settings for locating the PAC file:
Responder has back upwardly for poisoning WPAD requests in addition to serving a valid wpad.dat PAC file.
For this minute demonstration nosotros utilisation the next arguments for Responder:
# responder -I eth0 -wFNow when a user on the local network uses Internet Explorer, the browser should fetch the wpad.dat file from Responder. Because nosotros supplied the declaration –F, Responder volition also forcefulness the customer to authenticate when they seek to asking the wpad.dat file. Sneaky, huh?
As our Responder laid on is performed from the local network, Internet Explorer should recognise the service every bit existence inwards the Intranet safety zone in addition to automatically provide the user’s credentials without whatsoever prompt from the user. Google Chrome volition also automatically produce this nevertheless Firefox prompts the user to manually travel inwards their credentials, something to send inwards heed if you lot are testing a network that has Firefox users.
Firefox does non automatically provide Windows credentials
If successful, the Responder output volition hold off similar below:
Here you lot tin come across Responder is answering the asking from the Windows host for the refer “wpad” alongside its ain IP every bit the location. It has also logged that it has sent the WPAD file to the Windows 7 host at 192.168.100.101.
Again, Wireshark tin travel used to farther analyse the procedure pace past times step:
The outset highlighted department shows the LLMNR question for the host “wpad” existence sent past times the Windows 7 host in addition to answered past times the Kali host running Responder. The final highlighted department shows the Windows 7 host getting the wpad.dat file past times providing their credentials to the Kali host.
On both of the higher upwardly occasions, the captured hashes are output into the logs file of Responder (/usr/share/responder/logs).
In the higher upwardly image, you lot tin come across nosotros select captured hashes from both the SMB in addition to HTTP illustration that was only shown. Since they incorporate the hashed password of the same user (user2) it doesn’t actually thing which 1 nosotros use.
I’m going to utilisation the “SMB-NTLMv2-SSP-192.168.100.101.txt” file. For demonstration, the password cracker john is going to travel used alongside the “rockyou.txt” wordlist. The next ascendency volition travel used:
# john SMB-NTLMv2-SSP-192.168.100.101.txt –wordlist=/usr/share/wordlists/rockyou.txt
Since the password was inwards the wordlist, the password hash was cracked successfully.
In our sense of using this technique during penetration testing engagements, nosotros select real oftentimes captured in addition to cracked credentials for Domain Admin accounts, leading to rapid compromise of the entire Active Directory domain in addition to its resources. One farther argue why administrators should non utilisation privileged accounts for non-administrative activities such every bit Internet browsing.
The Solution
To mitigate this laid on from potentially happening inwards your local network domain, it is best to disable LLMNR in addition to NBT-NS. Note that inwards the higher upwardly laid on scenarios, these protocols were solely used when no DNS entries existed for the queries. Providing your DNS server resolves the names that demand to travel establish inwards your network, the other protocols produce non demand running.If your network environs includes computers running Windows versions 2000 in addition to earlier, NBT-NS may demand to remain enabled (see https://technet.microsoft.com/en-us/library/cc728457(v=ws.10).aspx). Mind you, if this is the case, you've got a whole charge of other safety considerations!
Disabling LLMNR
To disable LLMNR inwards your domain for DNS clients, opened upwardly gpedit.msc.Navigate to Computer Configuration->Administrative Templates->Network->DNS client.
Locate the pick “Turn off multicast refer resolution” in addition to click “policy setting”:
Once the novel window opens, enable this option, press Apply in addition to click OK:
Disabling NBT-NS
One pick for disabling NBT-NS is to utilisation DHCP orbit options.If using Microsoft's DHCP server, select the orbit that you lot desire to disable NBT-NS for. Right click “Scope Options” in addition to click “Configure Options”. In the illustration below, the DHCP orbit inwards which I desire to disable NBT-NS for is 192.168.1.100.
In the Scope Options window, navigate to the advanced tab, alter the drib downward window to “Microsoft Windows 2000 Options”:
Select the pick “001 Microsoft Disable Netbios Option” from the listing in addition to alter its value to “0x2”, click Apply in addition to so OK: