LLMNR and NBT-NS poisoning attack using Metasploit

In this video we will simulate a LLMNR and NBT-NS poisoning attack, we will collect user password hashes and then crack them. This type of attack is very common during internal penetration testing assessments for the following reasons:
- it works well with any Windows OS version
- it performs well in both wired and wireless internal networks
- it has a good chance to succeed because LLMNR and NBT-NS (NetBIOS Name Service) queries are enabled by default on Windows hosts; their usage does not require any authentication and any system in the local network can respond to these queries
- the risk of crashing network hosts or disrupting the network user activity is low

The basis for this attack relies on the way a Windows OS host performs name resolution; usually the steps below are performed in order, until the name is resolved:
1. Hosts file on the local host is checked
2. The local DNS cache is checked
3. Name query is sent to DNS server
4. LLMNR query is sent via multicast
5. NBT-NS query is sent via broadcast (if WINS is not configured)
The attacker computer will listen to the queries sent at steps 4 and 5 above, then will respond to the query pretending that it owns the name that the victim computer is trying to resolve. Subsequently, the victim computer will try to authenticate to the attacker computer and the user credentials will be collected in the process.

A deeper explanation on how the poisoning attack works, can be checked on the link below:
https://www.crowehorwath.com/cybersecurity-watch/netbios-llmnr-giving-away-credentials/

During this video, I also made references to WPAD (Web Proxy Auto-Discovery protocol).
WPAD could be relevant during LLMNR and NBT-NS poisoning attacks, because a computer could try to resolve the "WPAD" name using LLMNR and NBT-NS queries. A basic look into WPAD can be checked on the following link: https://jwcooney.com/2014/02/11/a-basic-look-into-wpad/

An overview on LLMNR can checked on: http://techgenix.com/overview-link-local-multicast-name-resolution/

An overview on NetBIOS can be checked on: https://www.lifewire.com/netbios-software-protocol-818229

Metasploit modules

During this demonstration I chose to use Metasploit modules, because I reckon that it makes easier to understand the basis for this attack. There are scripts which automate and simplify this attack, but we'll discuss them in future videos.
The following Metasploit modules were used:

a) auxiliary/scanner/netbios/nbname


b) auxiliary/scanner/llmnr/query


c) auxiliary/spoof/llmnr/llmnr_response


d) auxiliary/spoof/nbns/nbns_response


e) auxiliary/server/capture/http_ntlm


f) auxiliary/server/capture/smb


LLMNR and NBT-NS poisoning attack using Metasploit


Comments

Popular Posts

MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

Generating shellcode - using msfvenom to generate a binary payload

MS17-010 Vulnerability - Scanning using Metasploit on KALI Linux