Tuesday, 2 February 2021

LLMNR Poisoning to Shell access

What is LLMNR?

LLMNR is an acronym for "Link Local Multicast Name Resolution". LLMNR works roughly the same way as DNS does only LLMNR is used for resolving computer names to IP addresses on the local network. It is basically DNS for SMB/File Shares. An example of LLMNR at work would be a user requesting a share for a computer on their network. The user manually enters the IP address into the folder url and if the computer does not have the IP to Computer name mapping cached, LLMNR sends a multicast over the network to request the name of the Computer that the IP address belongs to.

How can this be exploited?

The attack itself is quite simple. The attacker positions themself in the network and listens for any LLMNR requests. When a user enters an IP address of a computer that does not exist on the network LLMNR takes over and sends a multicast over the network asking if anyone knows the computer name of the requested IP address. The attacker hears the request and jumps in and says, "Yes!, I know the address. Send me your hash and I will pass it along for you". LLMNR then sends the attacker the users hash which we crack offline and then login to the network with the stolen credentials.

The Attack

Setting up the attack is very simple. A tooled called "Responder" can be used to listen for LLMNR requests and reply to the request.

You can download Responder from:
https://github.com/SpiderLabs/Responder.git

Run it with the command(Using your correct network interface) 

sudo responder -I eth0 -rdwv


As you can see Responder is now Poisoning LLMNR and listening for any requests.

The windows 10 user requests a share over the network


Responder captures the users hash

 

Cracking the hash

Now that we have the users hash we can crack it in hashcat. Even though we know this hash is an NTLM hash a great tool to confirm and check the hashtype of unknown hashes is 'hashid'. The -m switch also tells us what hashcat mode to use.


Using the famous rockyou.txt I was able to crack the hash in less than a second on my windows machine.


Gaining Shell access

Now that we have a users credentials we can try and login to the domain network by using IMPackets PsExec tool. Seeing that user ecartman is a domain admin we are able to login to the domain controller with System access.







No comments:

Post a Comment