In this video we will simulate a LLMNR and NBT-NS poisoning attack, we will collect user password hashes and then crack them. This type of attack is very common during internal penetration testing assessments for the following reasons: - it works well with any Windows OS version - it performs well in both wired and wireless internal networks - it has a good chance to succeed because LLMNR and NBT-NS (NetBIOS Name Service) queries are enabled by default on Windows hosts; their usage does not require any authentication and any system in the local network can respond to these queries - the risk of crashing network hosts or disrupting the network user activity is low The basis for this attack relies on the way a Windows OS host performs name resolution; usually the steps below are performed in order, until the name is resolved: 1. Hosts file on the local host is checked 2. The local DNS cache is checked 3. Name query is sent to DNS server 4. LLMNR query is sent via multicast 5.
Showing posts from April, 2018
- Other Apps
In this video we will exploit a MS17-010 vulnerable computer, but instead of using the classic "reverse_tcp" payload, we will use the "reverse_https" payload. There are two main features which make the reverse_http and reverse_https payloads very useful: 1. These payloads are using http/https types of traffic and protocol inspecting firewalls usually allow http/https traffic while they might block other types of traffic. In addition, these payloads use the WinInet API and will leverage any proxy or authentication settings that the user has configured for Internet access. 2. These payloads deal well with cases when the compromised target has spotty Internet access. If the connection between "victim" and the "attacker" machine drops, then the payload will keep trying reconnecting back to the "attacker" computer. In the video we will exploit the target computer, then we will drop the Meterpreter session by interrupting network co