Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
LLMNR, NBT-NS, and mDNS:
Microsoft and other operating systems use LLMNR and NBT-NS for local name resolution when DNS fails. Similarly, Apple and Linux systems use mDNS.
These protocols are susceptible to interception and spoofing due to their unauthenticated, broadcast nature over UDP.
Responder can be used to impersonate services by sending forged responses to hosts querying these protocols.
Further information on service impersonation using Responder can be found here.
WPAD allows browsers to discover proxy settings automatically.
Discovery is facilitated via DHCP, DNS, or fallback to LLMNR and NBT-NS if DNS fails.
Responder can automate WPAD attacks, directing clients to malicious WPAD servers.
Responder is a tool used for poisoning LLMNR, NBT-NS, and mDNS queries, selectively responding based on query types, primarily targeting SMB services.
It comes pre-installed in Kali Linux, configurable at /etc/responder/Responder.conf.
Responder displays captured hashes on the screen and saves them in the /usr/share/responder/logs directory.
It supports both IPv4 and IPv6.
Windows version of Responder is available here.
To run Responder with default settings: responder -I <Interface>
For more aggressive probing (with potential side effects): responder -I <Interface> -P -r -v
Techniques to capture NTLMv1 challenges/responses for easier cracking: responder -I <Interface> --lm --disable-ess
WPAD impersonation can be activated with: responder -I <Interface> --wpad
NetBIOS requests can be resolved to the attacker's IP, and an authentication proxy can be set up: responder.py -I <interface> -Pv
Spoofing DHCP responses can permanently poison a victim's routing information, offering a stealthier alternative to ARP poisoning.
It requires precise knowledge of the target network's configuration.
Running the attack: ./Responder.py -I eth0 -Pdv
This method can effectively capture NTLMv1/2 hashes, but it requires careful handling to avoid network disruption.
Responder will impersonate services using the above-mentioned protocols, capturing credentials (usually NTLMv2 Challenge/Response) when a user attempts to authenticate against the spoofed services.
Attempts can be made to downgrade to NetNTLMv1 or disable ESS for easier credential cracking.
It's crucial to note that employing these techniques should be done legally and ethically, ensuring proper authorization and avoiding disruption or unauthorized access.
Inveigh is a tool for penetration testers and red teamers, designed for Windows systems. It offers functionalities similar to Responder, performing spoofing and man-in-the-middle attacks. The tool has evolved from a PowerShell script to a C# binary, with Inveigh and InveighZero as the main versions. Detailed parameters and instructions can be found in the wiki.
Inveigh can be operated through PowerShell:
Or executed as a C# binary:
This attack leverages SMB authentication sessions to access a target machine, granting a system shell if successful. Key prerequisites include:
The authenticating user must have Local Admin access on the relayed host.
SMB signing should be disabled.
In scenarios where direct network introduction isn't feasible, traffic on port 445 needs to be forwarded and tunneled. Tools like PortBender help in redirecting port 445 traffic to another port, which is essential when local admin access is available for driver loading.
PortBender setup and operation in Cobalt Strike:
Metasploit: Set up with proxies, local and remote host details.
smbrelayx: A Python script for relaying SMB sessions and executing commands or deploying backdoors.
MultiRelay: A tool from the Responder suite to relay specific users or all users, execute commands, or dump hashes.
Each tool can be configured to operate through a SOCKS proxy if necessary, enabling attacks even with indirect network access.
MultiRelay is executed from the /usr/share/responder/tools directory, targeting specific IPs or users.
These tools and techniques form a comprehensive set for conducting NTLM Relay attacks in various network environments.
In Windows you may be able to force some privileged accounts to authenticate to arbitrary machines. Read the following page to learn how:
Force NTLM Privileged AuthenticationLearn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
