I'd like to share my experience with a lab assignment I worked on a while back where I exploited the LLMNR protocol using Kali Linux's Responder. This is commonly known as "LLMNR Poisoning". In this post I'll walk you through the MITM (Man-in-the-Middle) attack and how easy it is to exploit user credentials given the right circumstances.
Lab Setup
*Windows 7 VM (IP: 192.168.50.150)
*Windows 2012 R2 VM (IP: 192.168.50.8, Running DHCP/DNS, ADDS)
*Kali Linux VM (IP: 192.168.50.20)
*A test domain has been created on the Windows 2012 server. The Windows 7 machine has been joined to that domain. The Windows 7 machine will be getting it's IP from DHCP. The Kali Linux machine has an IP that is statically set on this subnet for testing purposes.
What is LLMNR Poisoning?
First let's start off with a brief explanation of LLMNR. LLMNR (Link-Local Multicast Name Resolution) is a protocol built into the Windows environment. This protocol allows computers on the same subnet to assist each other with identifying hosts when DNS fails or is not available.
LLMNR works over UDP port 5355. In the below capture, you can see the broadcast over the local subnet. I'm running Wireshark on my Kali VM and can see the LLMNR request broadcasted. To get this, I logged into my Windows 7 VM with a generic user and opened file explorer. I then tried to browse to a fictitious server share via UNC path that didn't exist. As you can see from the clear text in the capture, my user tried to connect to server share "\\cyber-server1" which doesn't exist.
So where does Poisoning come into play? The LLMNR protocol which is the successor to the NBT-NS protocol is unauthenticated and subject to spoofing. An attacker can sit monitoring this traffic and looking for LLMNR packets. Basically when and LLMNR packet is broadcast, it is asking the local subnet for information on that host. If someone knows that information, they can respond with the IP address needed. The client computer will receive that information and say "OK" and then send it's hashed NTLMv2 to that IP so that it can authenticate and gain access.
An attacker can spoof that information and trick the user into believing that they are the correct host resulting in a spoofed client sending a NTLMv2 hash to them for authentication. From here the attacker can capture the password hash and attempt to crack it with various tools.
Scenario
In this lab scenario, there will be a Windows 7 client machine trying to connect to a Windows 2012 network share through a UNC path. A Kali Linux machine will be on the same network running responder to watch for LLMNR broadcasts. In the event that one is seen, Kali will intercept the message spoofing the victim (Windows 7 machine) into sending authentication credentials its way.
Attack
First off let's launch this MITM attack by running Kali Linux Responder from a terminal. Note that my Kali box is on the same subnet (192.168.50.1/24) as my Windows 7/2012 machines.
Here you can see responder listening for events (LLMNR broadcasts).
Next on my Windows 7 VM, I opened Windows Explorer and tried to browse to a make believe network UNC path.
At this point, the Windows 7 machine has been spoofed into communicating with the Kali Linux machine and starts to attempt a TCP 3-way handshake with the Kali Linux machine.
The command I used to run this crack with a custom word list was the following:
john --wordlist=/usr/share/wordlists/realman_phill.txt <.txt file>
For those of you that want a great word list, check out CrackStation...That is the word list I used in this example.
https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm
After about 1 minute and 30 seconds, John was able to crack my password hash with use of the custom word list. Football! seems to be the password for user "tony.romo".
Well I hope this walk though helps to educate you on the process of spoofing and exploiting a Windows machine's user credentials using LLMNR protocol. For the sake of the lab experiment I used a weak password. In the event that you can capture and exploit a password hash, it's possible your crack can take much longer due to the complexity of the user account's password. Thanks for reading and feel free to leave comments.
Lab Setup
*Windows 7 VM (IP: 192.168.50.150)
*Windows 2012 R2 VM (IP: 192.168.50.8, Running DHCP/DNS, ADDS)
*Kali Linux VM (IP: 192.168.50.20)
*A test domain has been created on the Windows 2012 server. The Windows 7 machine has been joined to that domain. The Windows 7 machine will be getting it's IP from DHCP. The Kali Linux machine has an IP that is statically set on this subnet for testing purposes.
What is LLMNR Poisoning?
First let's start off with a brief explanation of LLMNR. LLMNR (Link-Local Multicast Name Resolution) is a protocol built into the Windows environment. This protocol allows computers on the same subnet to assist each other with identifying hosts when DNS fails or is not available.
LLMNR works over UDP port 5355. In the below capture, you can see the broadcast over the local subnet. I'm running Wireshark on my Kali VM and can see the LLMNR request broadcasted. To get this, I logged into my Windows 7 VM with a generic user and opened file explorer. I then tried to browse to a fictitious server share via UNC path that didn't exist. As you can see from the clear text in the capture, my user tried to connect to server share "\\cyber-server1" which doesn't exist.
So where does Poisoning come into play? The LLMNR protocol which is the successor to the NBT-NS protocol is unauthenticated and subject to spoofing. An attacker can sit monitoring this traffic and looking for LLMNR packets. Basically when and LLMNR packet is broadcast, it is asking the local subnet for information on that host. If someone knows that information, they can respond with the IP address needed. The client computer will receive that information and say "OK" and then send it's hashed NTLMv2 to that IP so that it can authenticate and gain access.
An attacker can spoof that information and trick the user into believing that they are the correct host resulting in a spoofed client sending a NTLMv2 hash to them for authentication. From here the attacker can capture the password hash and attempt to crack it with various tools.
Scenario
In this lab scenario, there will be a Windows 7 client machine trying to connect to a Windows 2012 network share through a UNC path. A Kali Linux machine will be on the same network running responder to watch for LLMNR broadcasts. In the event that one is seen, Kali will intercept the message spoofing the victim (Windows 7 machine) into sending authentication credentials its way.
Attack
First off let's launch this MITM attack by running Kali Linux Responder from a terminal. Note that my Kali box is on the same subnet (192.168.50.1/24) as my Windows 7/2012 machines.
The following parameters are passed.
-l eth0 tells the application to run on interface ethernet 0 which is the ethernet adapter in this situation located on the Kali Linux machine.
Here you can see responder listening for events (LLMNR broadcasts).
Next on my Windows 7 VM, I opened Windows Explorer and tried to browse to a make believe network UNC path.
The second I pressed ENTER on the keyboard to connect to that server share, a lot was kicked off in motion. The first being DNS requests sent to the Windows 2012 server asking for the host information of "\\cyber-server1\". You can see this in the Wireshark capture below.
192.168.50.8 is the DNS server in this lab setup. You can see above that the Windows 7 machine (192.168.50.150) contacts the server for a DNS request, but the server has no idea about this host and returns that information to the Windows 7 machine.
Next you will see the Wireshark analysis of what happens next. Since the Windows 7 machine cannot resolve the host name from DNS, it broadcasts a LLMNR packet to see if anyone local on the subnet can help identify the host. You will notice that my Kali Linux machine (192.168.50.20) intercepts the message and spoofs it's identity basically saying "Yes I know the address, please forward your information to (192.168.50.20).
If you would like to learn more about the NTLM authentication over SMB check out Microsoft's article.
Basically the Windows 7 machine is tricked into negotiating with the Kali Linux box and trying to negotiate authentication. You can see in packet #120 where the Windows 7 machine forwards it's NTLMv2 authentication hash to the Kali Linux machine thinking that it can provide authentication and login.
Next you can see how this looks on the attacker side. The picture below shows the Kali Linux machine running responder and sending a "poisoned response" to the Windows 7 machine.
You can see how responder sit's listening for those LLMNR broadcast packets. Once it can intercept one, it will poison the response back to the client spoofing them into believing that the Kali Linux machine is the right server.
Above you can see that the username for that domain system "Cyber550\tony.romo" and the password hash were collected. Responder will then write the hash to a .txt file as pictured below.
Next order of business was to run the hashed password file through a password cracker like John the Ripper.
john --wordlist=/usr/share/wordlists/realman_phill.txt <.txt file>
For those of you that want a great word list, check out CrackStation...That is the word list I used in this example.
https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm
After about 1 minute and 30 seconds, John was able to crack my password hash with use of the custom word list. Football! seems to be the password for user "tony.romo".
Well I hope this walk though helps to educate you on the process of spoofing and exploiting a Windows machine's user credentials using LLMNR protocol. For the sake of the lab experiment I used a weak password. In the event that you can capture and exploit a password hash, it's possible your crack can take much longer due to the complexity of the user account's password. Thanks for reading and feel free to leave comments.
Comments
Post a Comment