Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin

Responder for Purple Teams

BSides Cleveland 2016 Kevin Gennuso

Responder for Purple Teams

whoami

Why this talk?

Responder Overview

Related Tools

WPAD Attack

Analyse Mode

Defense


whoami

Full-Spectrum Cyber Person

Nearly 20 years of this stuff

Advanced Persistent Pittsburgher

3x BSidesCLE speaker (Thanks!)


Why this talk?

All teams can learn valuable information from this tool

Attacks/Threats

Misconfigurations

Detection


Why this talk?

My own security tool betrayed me!


Responder Overview

LLMNR/NBT-NS/mDNS Poisoner

SMB/MSSQL/HTTP/LDAP/FTP/POP3/IMAP/SMTP Authentication Server

WPAD Proxy Server

DHCP Inform Spoofer

OS Fingerprinting

ICMP Relay

Analyze mode

Under active development


Poisoner Overview

LLMNR - Link-Local Multicast Name Resolution

Allows name resolution of neighboring computers without a DNS server

Windows Vista thru Windows 10

Linux systemd-resolvd

NBT-NS - NetBIOS Name Service

old school Windows, but still enabled by default

mDNS - Multicast DNS

Apple's Bonjour

Printers, cameras, TiVo/Roku


Auth Server Overview

SMB - responds & collects cleartext creds and NTLMv1/v2 hashes

MSSQL - looks like SQL Server 2005, collects NTLMv1/v2 hashes

HTTP - looks like IIS, collects cleartext creds and NTLMv1/v2 hashes, serves up wpad.dat

LDAP/FTP/POP3/IMAP/SMTP - cleartext credentials


SMB Attack Overview


“Who is \\SERVR?”

“No idea, buddy.”

LLMNR: “WHO IS \\SERVR??”

“That’s me. Here’s my challenge”

“Cool, here’s my NTLMv1/2

response. Let’s party!

Related Tools

Responder for Windows (beta)

Inveigh - PowerShell

Gladius - auto-crack NTLMv1/2 hashes from Responder

Chuckle - auto-SMB pwnage

Finds targets (Nmap), generates payload (Veil-evasion), intercepts SMB connections & delivers payload (Responder, SMBrelay), shell (Metasploit)


Responder WPAD Proxy

Responds to broadcast requests for WPAD servers

Listens on standard ISA port (TCP 3141)

Grabs cookies and authentication data

HTML injection

EXE interception/replacement


WPAD Attack

Well-known by pentesters; new to US-CERT

Default IE config = Instant MiTM

“BadTunnel” MS16-077 (CVE-2016-3213,3236)


US-CERT Pentest community

WPAD Attack Overview


“Who is WPAD?”

“No idea, buddy.”

LLMNR: “WHO IS WPAD??”

“That’s me. Here’s my wpad.dat”

“Cool, here’s all of the traffic

from my browser. Let’s party!”

Attacker has MiTM

Analyze Mode

Let’s see what could be owned Or systems eager to authenticate

Inventory/CMDB

Patch management

Software deployment

Network Access Control (NAC)


NAC NAC Joke

Responder: “NAC NAC!” NAC: “Who’s there?” Responder: “Some really weird box.” NAC: “Some really weird box who? Actually, never mind, here’s the username and NTLMv1 hash for a

Domain Admin.”


NAC NAC Joke

Connected Kali box with Responder in Analyze mode

30 seconds later, received DA username and NTLMv1 response


PEAK FAIL

A system meant to detect and mitigate rogue devices is sending DA credentials to rogue devices.

Built per vendor’s docs with professional services support

No mention of NTLMv1 in docs

Responder on Linux looks nothing like a Windows domain member.

So why would you ever do that?


HAPPINESS DENIED


Use Analyze Mode!

Your security/inventory/asset management tools can betray you

Your endpoints might be misconfigured

Your network might allow ICMP relaying

Ain’t just for pentests


Analyse @BsidesCleveland


Detecting Responder

Tell-tale Nmap fingerprint

Can be changed in packets.py

Tell-tale wpad.dat

Also customizable

But only valid WPAD servers should be serving this file

Any endpoint listing on many of these ports is suspect


Nmap Fingerprint

nmap -A -sS -sU -p T:21,25,80,110,139,389,445,587,3141, U:53,137,138,389


Nmap Fingerprint

nmap -A -sS -sU -p T:21,25,80,110,139,389,445,587,3141, U:53,137,138,389


Responder wpad.dat

wget http://responder.host/wpad.dat (or just read Responder.config)


http://responder.host/wpad.dat

Responder Defense

Disable “zeroconf” protocols Handy in your house, dangerous in the enterprise.

Disable WPAD

Set explicit proxies if needed

Add a WPAD entry in DNS

Scan for Responder instances

No one should ever serve wpad.dat

SMB Signing (legacy pain)

Monitor and segment your networks


Disable LLMNR

gpedit.msc

Computer Policy —> Computer Configuration —> Administrative Templates —> Network —> DNS Client —> “Turn Off Multicast Name Resolution” —> “Enabled” Registry: HKLM\Software\Policies\Microsoft\Windows NT\DNSClient

"EnableMulticast" DWORD 0

Source: Stern Security


Disable LLMNR



Disable NetBIOS-NS

On a single machine: Network

Interface Settings —> TCP/IPv4/6 —> Advanced —> WINS —> Disable NetBIOS over TCP/IP

Via DHCP: Scope Options —> Microsoft Windows 2000 Options —> Option 001 —> Data Entry = “0x2”



Disable WPAD

On a single machine: HKCU\Software\Microsoft\Windows\CurrentVersion

\Internet Settings\Wpad —> WpadOverride=1

Disable service: WinHttpAutoProxySvc

Via GPO: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\

Via DHCP: Option 252 —> String Entry = “http://path/to/wpad.dat”


http://path/to/wpad

Disable WPAD

Create an internal and external DNS entry for wpad.domain.com

But first, allow your Windows DNS servers to let you do that

https://technet.microsoft.com/en-us/library/cc995158.aspx


https://technet.microsoft.com/en-us/library/cc995158.aspx

QUESTIONS?


More Info

https://github.com/SpiderLabs/Responder

https://github.com/praetorian-inc/gladius

https://github.com/Kevin-Robertson/Inveigh

https://github.com/nccgroup/chuckle

https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

https://www.nccgroup.trust/globalassets/resources/uk/premium-downloads/whitepapers/local-network-

compromise-despite-good-patchingpdf/

Thanks!

@kevvyg [email protected]


https://github.com/SpiderLabs/Responder

https://github.com/praetorian-inc/gladius

https://github.com/Kevin-Robertson/Inveigh

https://github.com/nccgroup/chuckle

https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

https://www.nccgroup.trust/globalassets/resources/uk/premium-downloads/whitepapers/local-network-compromise-despite-good-patchingpdf/

mailto:[email protected]

Documents

Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin