Upload
phamthu
View
216
Download
3
Embed Size (px)
Citation preview
Responder for Purple Teams
BSides Cleveland 2016 Kevin Gennuso
Responder for Purple Teams
whoami
Why this talk?
Responder Overview
Related Tools
WPAD Attack
Analyse Mode
Defense
BSides Cleveland 2016 Kevin Gennuso
whoami
Full-Spectrum Cyber Person
Nearly 20 years of this stuff
Advanced Persistent Pittsburgher
3x BSidesCLE speaker (Thanks!)
BSides Cleveland 2016 Kevin Gennuso
Why this talk?
All teams can learn valuable information from this tool
Attacks/Threats
Misconfigurations
Detection
BSides Cleveland 2016 Kevin Gennuso
Why this talk?
My own security tool betrayed me!
BSides Cleveland 2016 Kevin Gennuso
Responder Overview
LLMNR/NBT-NS/mDNS Poisoner
SMB/MSSQL/HTTP/LDAP/FTP/POP3/IMAP/SMTP Authentication Server
WPAD Proxy Server
DHCP Inform Spoofer
OS Fingerprinting
ICMP Relay
Analyze mode
Under active development
BSides Cleveland 2016 Kevin Gennuso
Poisoner Overview
LLMNR - Link-Local Multicast Name Resolution
Allows name resolution of neighboring computers without a DNS server
Windows Vista thru Windows 10
Linux systemd-resolvd
NBT-NS - NetBIOS Name Service
old school Windows, but still enabled by default
mDNS - Multicast DNS
Apple's Bonjour
Printers, cameras, TiVo/Roku
BSides Cleveland 2016 Kevin Gennuso
Auth Server Overview
SMB - responds & collects cleartext creds and NTLMv1/v2 hashes
MSSQL - looks like SQL Server 2005, collects NTLMv1/v2 hashes
HTTP - looks like IIS, collects cleartext creds and NTLMv1/v2 hashes, serves up wpad.dat
LDAP/FTP/POP3/IMAP/SMTP - cleartext credentials
BSides Cleveland 2016 Kevin Gennuso
SMB Attack Overview
BSides Cleveland 2016 Kevin Gennuso
“Who is \\SERVR?”
“No idea, buddy.”
LLMNR: “WHO IS \\SERVR??”
“That’s me. Here’s my challenge”
“Cool, here’s my NTLMv1/2
response. Let’s party!
Related Tools
Responder for Windows (beta)
Inveigh - PowerShell
Gladius - auto-crack NTLMv1/2 hashes from Responder
Chuckle - auto-SMB pwnage
Finds targets (Nmap), generates payload (Veil-evasion), intercepts SMB connections & delivers payload (Responder, SMBrelay), shell (Metasploit)
BSides Cleveland 2016 Kevin Gennuso
Responder WPAD Proxy
Responds to broadcast requests for WPAD servers
Listens on standard ISA port (TCP 3141)
Grabs cookies and authentication data
HTML injection
EXE interception/replacement
BSides Cleveland 2016 Kevin Gennuso
WPAD Attack
Well-known by pentesters; new to US-CERT
Default IE config = Instant MiTM
“BadTunnel” MS16-077 (CVE-2016-3213,3236)
BSides Cleveland 2016 Kevin Gennuso
US-CERT Pentest community
WPAD Attack Overview
BSides Cleveland 2016 Kevin Gennuso
“Who is WPAD?”
“No idea, buddy.”
LLMNR: “WHO IS WPAD??”
“That’s me. Here’s my wpad.dat”
“Cool, here’s all of the traffic
from my browser. Let’s party!”
Attacker has MiTM
Analyze Mode
Let’s see what could be owned Or systems eager to authenticate
Inventory/CMDB
Patch management
Software deployment
Network Access Control (NAC)
BSides Cleveland 2016 Kevin Gennuso
NAC NAC Joke
Responder: “NAC NAC!” NAC: “Who’s there?” Responder: “Some really weird box.” NAC: “Some really weird box who? Actually, never mind, here’s the username and NTLMv1 hash for a
Domain Admin.”
BSides Cleveland 2016 Kevin Gennuso
NAC NAC Joke
Connected Kali box with Responder in Analyze mode
30 seconds later, received DA username and NTLMv1 response
BSides Cleveland 2016 Kevin Gennuso
PEAK FAIL
A system meant to detect and mitigate rogue devices is sending DA credentials to rogue devices.
Built per vendor’s docs with professional services support
No mention of NTLMv1 in docs
Responder on Linux looks nothing like a Windows domain member.
So why would you ever do that?
BSides Cleveland 2016 Kevin Gennuso
HAPPINESS DENIED
BSides Cleveland 2016 Kevin Gennuso
Use Analyze Mode!
Your security/inventory/asset management tools can betray you
Your endpoints might be misconfigured
Your network might allow ICMP relaying
Ain’t just for pentests
BSides Cleveland 2016 Kevin Gennuso
Analyse @BsidesCleveland
BSides Cleveland 2016 Kevin Gennuso
Detecting Responder
Tell-tale Nmap fingerprint
Can be changed in packets.py
Tell-tale wpad.dat
Also customizable
But only valid WPAD servers should be serving this file
Any endpoint listing on many of these ports is suspect
BSides Cleveland 2016 Kevin Gennuso
Nmap Fingerprint
nmap -A -sS -sU -p T:21,25,80,110,139,389,445,587,3141, U:53,137,138,389
BSides Cleveland 2016 Kevin Gennuso
Nmap Fingerprint
nmap -A -sS -sU -p T:21,25,80,110,139,389,445,587,3141, U:53,137,138,389
BSides Cleveland 2016 Kevin Gennuso
Responder wpad.dat
wget http://responder.host/wpad.dat (or just read Responder.config)
BSides Cleveland 2016 Kevin Gennuso
Responder Defense
Disable “zeroconf” protocols Handy in your house, dangerous in the enterprise.
Disable WPAD
Set explicit proxies if needed
Add a WPAD entry in DNS
Scan for Responder instances
No one should ever serve wpad.dat
SMB Signing (legacy pain)
Monitor and segment your networks
BSides Cleveland 2016 Kevin Gennuso
Disable LLMNR
gpedit.msc
Computer Policy —> Computer Configuration —> Administrative Templates —> Network —> DNS Client —> “Turn Off Multicast Name Resolution” —> “Enabled” Registry: HKLM\Software\Policies\Microsoft\Windows NT\DNSClient
"EnableMulticast" DWORD 0
Source: Stern Security
BSides Cleveland 2016 Kevin Gennuso
Disable LLMNR
BSides Cleveland 2016 Kevin Gennuso
Source: Stern Security
Disable NetBIOS-NS
On a single machine: Network
Interface Settings —> TCP/IPv4/6 —> Advanced —> WINS —> Disable NetBIOS over TCP/IP
Via DHCP: Scope Options —> Microsoft Windows 2000 Options —> Option 001 —> Data Entry = “0x2”
Source: Stern Security
BSides Cleveland 2016 Kevin Gennuso
Disable WPAD
On a single machine: HKCU\Software\Microsoft\Windows\CurrentVersion
\Internet Settings\Wpad —> WpadOverride=1
Disable service: WinHttpAutoProxySvc
Via GPO: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\
Via DHCP: Option 252 —> String Entry = “http://path/to/wpad.dat”
BSides Cleveland 2016 Kevin Gennuso
Disable WPAD
Create an internal and external DNS entry for wpad.domain.com
But first, allow your Windows DNS servers to let you do that
https://technet.microsoft.com/en-us/library/cc995158.aspx
BSides Cleveland 2016 Kevin Gennuso
QUESTIONS?
BSides Cleveland 2016 Kevin Gennuso
More Info
https://github.com/SpiderLabs/Responder
https://github.com/praetorian-inc/gladius
https://github.com/Kevin-Robertson/Inveigh
https://github.com/nccgroup/chuckle
https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
https://www.nccgroup.trust/globalassets/resources/uk/premium-downloads/whitepapers/local-network-
compromise-despite-good-patchingpdf/
Thanks!
@kevvyg [email protected]
BSides Cleveland 2016 Kevin Gennuso