LLMNR/NBT-NS Poisoning | Taking Advantage of NTLM Security Weaknesses

By on


In this write-up we will talk about LLMNR/NBT-NS Poisoning as this attack vector is still prevalent nowadays. Vast majority of assessments result in obtaining NTLMv1 and NTLMv2 hashes which can be taken advantage to crack these hashes and gain Administrator access.


In our example, we will use the tool called "RESPONDER" to intercept traffics from the network and to gather these NTLMv1 and NTLMv2 hashes to our advantage then we will talk about the overview on how these attack's kind of work.


LLMNR/NBT-NS Poisoning Overview

Attackers can spoof an authoritative source for name resolution on a victim network by responding to LLMNR(UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system.





What is LLMNR?

-Used to identify hosts when DNS fails to do so

-Previously NBT-NS

-Key flaw is that the services utilize a user's username and NTLMv2 hash when appropriately responded to



To start with, let's run our virtual environment which consist of Active Directory/Domain Controller. Along with our target Computer joined to a Domain named "TESLA" and our Attacker's machine (KALI).


We start by running, RESPONDER from our attacker machine to listen and intercept any traffic from the network.

┌──(root㉿kali)-[/home/kali]

└─# responder -I eth0 -wdv 







On our victim's machine, we tried to access a shared folder to generate a traffic and intercepted by our attacker's machine and capture NTLMv2 hashes.




As you can see, right after the victim attempted to access the "File Share" our listener (Attacker's machine) were able to intercept and capture the hashes. Now, the attacker's machine is listening in the network and was able to establish connection and poisoned other machines in the network including the "File Share" which was accessed in our example earlier.




The gathered NTLM hashes can now then be used to further escalate the attack. These hashes can be used to escalate privileges and owned the victim's "Domain".


In this example, we will use "hashcat" to crack these NTM hashes. By running "hashcat" as shown below and using the password dictionary "rockyou.txt" we are able to crack the password of user "fcastle" and we can do further damage to the network by escalating our privileges using the cracked credential.

┌──(root㉿kali)-[/home/kali]

└─# hashcat -m 5600 ntlmhash.txt /usr/share/wordlists/rockyou.txt --force






Now, let's talk about defenses and mitigation against this attack. In this case, is to disable LLMNR and NBT-NS.

-To disable LLMNR, select "TURN OFF Multicast Name Resolution" under Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client in the GPO editor.

-To disable NBT-NS, navigate to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced tab > WINS tab > and select "Disable NetBIOS over TCP/IP".


Other mitigation:

-Implement Network Access Control

-Require strong user passwords (e.g. > 14 characters long and limit common word usage)



Location: JW2V+5W Manila, Metro Manila, Philippines

Comments

Post a Comment

Popular posts from this blog

GOAD Active Directory LAB Setup on a Windows host

By on
Image
 In this write-up, I am going to explain how I set up the GOAD Active directory lab from my Windows host using VMware, along with a number of errors and steps and procedure I went through how I fixed them. GOAD (Game of Active Directory) lab is created by Orange Cyberdefense to provide pentesters a ready-to-use, vulnerable AD environment in which to practise common attack methods. As described in the Github page, “the lab is intended to be installed from a Linux host”, but it is still possible to successfully install the lab from a Windows host. I did not want to install the lab inside a virtual Ubuntu machine, as nested virtualisation would slow down performance too much. On high level, my setup will look like: Windows host: with Vagrant installed to run the VMs on VMware. VMware Pro: with Ubuntu 22.04 VM installed to run ansible playbooks to make the AD vulnerable. In this environment, there are two different available labs: GOAD : 5 vms, 2 forests, 3 domains (full goad lab) GOAD...
Read more

My Short Analysis - Redline Infostealer

By on
Image
  In this write up, Let's tear up a specific sample of Infostealer malware and deep dive into some of its functions. This is just short analysis of Redline Infostealer malware and it is intended for educational and entertainment purposes only. The reason for picking up this sample is because of its significant and rampant in the cybercrime ecosystem. One of the most common and prolific malware stealers out there in the wild. Distributed in the cybercrime marketplace and the dark web. So, without further ado let's take a look on this malware and unravel some of its functions. Executive Summary: RedLine Stealer is a malicious program that harvest users’ confidential data from browsers, systems, installed software, credit card information and domain information of enterprise environment. It also infects operating systems with other malware. Distributed in underground forums for sale as standalone ($100/$150 depending on the version) or on a subscription basis ($100/month). This ma...
Read more

Regular expressions - Notes

By on
Image
  Regular expressions - Notes Introduction What are regular expressions? Regular expressions (or Regex) are patterns of text that you define to search documents and match exactly what you're looking for. Why should I learn how to use them? Even if you won't need them sooner or later, it's a great tool to know how to use. It will make you more capable in CTF's, and potentially a better developer if that's a goal you have. You spend a little time learning it and save yourself lots of time in the long run by using it. I know all that, but I'm lazy. This is a lazy person's tutorial. There's a little reading, and then you  learn by doing . Where's the 'Deploy' button? There's no machine to deploy.  There are two ways to test your expressions. Either: create a text file with some test paragraphs (in a Unix machine) and then use  egrep <pattern> <file>  to see what matches and what doesn't, or use an online editor like  https://r...
Read more