LLMNR and NBT-NS poisoning attack using Responder and MultiRelay
In the previous post we discussed the basis for a LLMNR and NBT-NS attack and we showed this attack by using four Metasploit modules.
In this new video we will continue to demonstrate the LLMNR and NBT-NS attack, but instead of Metasploit we will be using Laurent Gaffie's Responder script.
Responder is also a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
More information about Responder and its related utilities can be found on Laurent Gaffie's Blog.
The script can be downloaded from Github on: https://github.com/lgandx/Responder
The following options are available when running Responder:
where:
-I eth0 --> Responder will use the eth0 Network Interface
-w --> start the WPAD rogue server
-f --> fingerprint the hosts sending LLMNR or NBT-NS queries
where:
-t 192.168.254.70 --> specifies the target computer (IP address for the Windows 7 test computer)
-u ALL --> all captured authentication requests will be relayed to target
where:
-i 192.168.254.0/24 --> specifies the IP subnet used by the test machines
In this new video we will continue to demonstrate the LLMNR and NBT-NS attack, but instead of Metasploit we will be using Laurent Gaffie's Responder script.
Responder
Responder is a Python script that listens for Link-Local Multicast Name Resolution (LLMNR), Netbios Name Service (NBT-NS) and Multicast Domain Name System (mDNS) broadcast messages.Responder is also a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
More information about Responder and its related utilities can be found on Laurent Gaffie's Blog.
The script can be downloaded from Github on: https://github.com/lgandx/Responder
The following options are available when running Responder:
The following command was used to launch Responder during the video demonstration:
./Responder.py -I eth0 -w -f
where:
-I eth0 --> Responder will use the eth0 Network Interface
-w --> start the WPAD rogue server
-f --> fingerprint the hosts sending LLMNR or NBT-NS queries
MultiRelay
MultiRelay is a powerful Responder-related tool which is able to perform targeted NTLMv1 and NTLMv2 relay and post exploitation on a selected target.
The following MultiRelay command was used during the video:
./MultiRelay.py -t 192.168.254.70 -u ALL
where:
-t 192.168.254.70 --> specifies the target computer (IP address for the Windows 7 test computer)
-u ALL --> all captured authentication requests will be relayed to target
MultiRelay works in conjunction with Responder. In a typical scenario, Responder would poison the LLMNR and NBT-NS name queries, while MultiRelay would parse the authentication requests and relay them to the target computer.
For MultiRelay to work correctly, the target computer should have SMB Signing disabled.
More details on SMB signing can be found in this Microsoft article and in this article.
More details on SMB signing can be found in this Microsoft article and in this article.
For more details on MultiRelay, please check these two excellent articles on Laurent Gaffie's Blog:
During the video presentation, we successfully used the MultiRelay script to relay the user authentication request to a Windows 7 target computer. After that, we dumped the user passwords in clear text from the LSASS process memory, by using the following Mimikatz command:
mimi sekurlsa::logonpasswords
RunFinger
RunFinger is another Responder-related utility which will finger a single IP address or an IP subnet and will reveal (among other useful information) if a target requires SMB Signing or not. This information will help with choosing targets for the MultiRelay script.
The following RunFinger command was used during the video:
./RunFinger.py -i 192.168.254.0/24
where:
-i 192.168.254.0/24 --> specifies the IP subnet used by the test machines
Comments
Post a comment