LLMNR, NBT-NS and WPAD
When a Windows client fails to resolve a name via DNS it falls back to LLMNR and NBT-NS by broadcasting the username and the NTLMv2 password hash on the local subnet. This is ripe for harvesting with a utility called Responder. WPAD is also vulnerable to Responder when a Browser is set to 'Automatically Detect Proxy Setting'.
Of course, this calls for demo of the attacks, a little John the Ripper to liberate the password and then how to configure the system correctly.
The attacking machine is Kali Linux.
Responder needs to be downloaded from github and installed.
The target is a virtualised Windows Domain with Windows 7/10 clients.
From Kali open a shell and type responder -h for the help.
Type the responder -I eth0 -wrf and sit back and wait for someone, to type in the wrong UNC path, lets hope its an admin.
To test Responder logon to the Windows client and type in a wrong UNC path.
Back in the Kali shell, if LLMNR is broadcasting from the client the following activity will be shown.
Responder logs all its activity, browse or cd to
/usr/share/responder/logs
Its the 'SMB-NTLMv2-SSP-10.1.1.106.txt' that we're interested in.
Open the file and you are likely to see repeat captures of the account name and NTLM v2 password hash.
The account and NTLM v2 password hash have been captured and for this demo the password was previously added to the wordlists. Wordlists and rainbow tables can be downloaded from the internet or generated with Crunch or the hash can be passed to Hashcat for cracking. This is a demo and its going to remain simply....for now.
The wordlists are stored at /usr/share/wordlists and 'rockyou.txt' is the wordlist choice of day.
Close down Responder and then type:
john /usr/share/responder/SMB-NTLMv2-SSP-10.1.1.106.txt --wordlist:/usr/share/wordlists/rockyou.txt
Predictably the password was revealed in seconds. Don't forget this is a weak password and it's in the wordlist of well-known passwords. Passwords in the wordlist or rainbow table would take significantly longer to crack and are likely to require GPU rig of some sort.
To prevent LLMNR disable 'Turn on Responder (RSPNDR)' in GPO and\or blocking 5355 UDP and TCP for both Incoming and Outgoing.
To prevent NBT-NS set the DHCP MS Windows 2000 Option '001 Microsoft Disable Netbios Option' 0x2.
To configure from within Windows, set 'disable NetBios over TCP/IP'.
Equally setting denying UDP port 137 firewall will do the trick.
A little disappointed that I'm unable to show the WPAD being hacked. It failed to display an authentication box when trying to connect to the Internet from a browser. The user kindly types in their username and password and it's relayed in the clear to Responder.
The command is 'responder -I eth0 -wbF
The client is vulnerable when the 'Automatically detect settings' is checked without a proxy server being available on the network.
To protect against this attack simply create a DNS record called WPAD, the IP does not require and endpoint or an active response.