Relays
NetNTLM
authentication used by SMB
Server Message Block
The Server Message Block (SMB) Protocol allows Clients to Communicate with a Server [For example a File Share]. In Networks that use Active Directory, SMB Governs everything from Inter-Network File-Sharing to Remote Administration.
The Security of earlier versions of the SMB Protocol was Insufficient. Often Organizations do not enforce the use of more recent Versions since Legacy Systems do not Support them.
-
Exploiting NetNTLM authentication with SMB:
NTLM Challenges
can be Intercepted and Cracked Offline.- We can use a Rogue Device to stage a
Man-In-The-Middle
Attack, relaying the SMB Authentication between the Client and Server, which will provide us with an active Authenticated Session and access to the Target Server.
LLMNR - NBT-NS - WPAD
Responder allows us to perform Man-In-The-Middle Attacks by Poisoning the Responses during NetNTLM Authentication, tricking the Client into talking to you instead of the actual Server they wanted to connect to.
In LAN, Responder will attempt to Poison: Link-Local Multicast Name Resolution (LLMNR) - NetBIOS Name Server (NBT-NS) - Web Proxy Auto-Discovery (WPAD)
- [LLMNR - NBT-NS] - Name Resolution Services that Windows Machines use to Identify Host Addresses on a Network when DNS Resolution Fails.
- [WPAD] - Made to try and find a Proxy for future HTTP(s) Connection [Locate and Interface with Cache Services in a Network so that Information can be delivered more quickly to the User]
These Protocols rely on Requests Broadcasted on the Local Network, a Rogue Device would also receive these Requests. Usually, these requests would simply be dropped since they were not meant for our host. Responder will actively listen to the Requests and send Poisoned Responses telling the requesting Host that our IP is associated with the Requested Hostname.