Hijacking Attacks
Last updated
Last updated
In a hijacking attack, an attacker pretends to be a legitimate system by responding to service requests, like name resolution. This can involve methods like Machine-In-The-Middle (MITM) attacks or simply observing requests on the network and sending fake responses. A key tactic is to exploit weak protocols like Link-Local Multicast Name Resolution (LLMNR), trick victims into thinking they’re connecting to a real server, and capture their authentication credentials.
The image shows an attack example where a victim sends a multicast LLMNR message on the network asking for "sevrer01," a typo that won't resolve with DNS. All workstations see the request but don't reply. The attacker responds, pretending to be "sevrer01" with their IP. The victim then connects to the attacker and sends an authentication request using their password hash, which the attacker can use to crack the password.
This vulnerability isn't just in LLMNR; it's also in mDNS and other name resolution protocols that don't have authentication. The tool Responder can exploit this. In networks with many Windows 10 clients, an attacker can use Responder to respond to LLMNR requests and pretend to be a Windows SMB server. When a victim tries to connect to this fake server, their credentials are sent to the attacker, who can then crack the passwords.
Next, we'll see how an attacker can use Responder to exploit the LLMNR protocol. We'll use Linux for this example, but Responder can also run on Windows with Responder-Windows by Laurent Gaffie.
To start Responder, run the Responder.py script as root. Use the -I option to set the target interface. You can also use the -i option with another attacker's IP address to get SMB requests from a different subnet or outside the network.
When a user asks for a service but doesn't get a response to the hostname, Responder will send back the attacker's IP address. This tricks the user into connecting to the attacker's service, which may reveal NTLMv2 authentication hashes. The NTLMv2 hash from this attack is based on the victim's password but isn't the same as the actual password hash. However, it's still useful for password cracking tools like Hashcat or John the Ripper, as we’ll demonstrate in the lab.
To protect against Responder and LLMNR attacks, turn off LLMNR on servers and workstations. It used to help small groups use names without a DNS server, but it’s not needed much anymore.
You can turn off LLMNR using Group Policy by going to Computer Configuration | Administrative Templates | Network | DNS Client and enabling "Turn off multicast name resolution." You can also disable it with the Local Policy Editor or by editing the registry.
Disabling multicast name resolution with group policy doesn’t turn off Windows support for multicastDNS (mDNS). This means attackers can still interfere with name resolution on the LAN. While LLMNR is often not needed, mDNS is commonly used for services like finding printers and connecting devices like wireless displays and speakers. Microsoft suggests using a Windows Defender firewall policy to block incoming mDNS traffic, but be careful, as it might disrupt other system features.
Broadcast name resolution can allow attackers to manipulate clients. The biggest risk is when an attacker pretends to be an SMB server, stealing the victim's username and password hash because SMB lacks strong security. To reduce this risk, upgrade to SMB 3.1.1 or later using group policy.
In this lab, we will use both our Slingshot Linux VM and the Windows 10 VM.
First, let’s check the connection between Linux and Windows.
Let's go to the /opt/responder directory, then run Responder with sudo and the specified options.
Let's go back to our Windows VM, then open File Explorer and type a fake server name (like \\hellooo504) in the location bar to try to access it.
I tried to connect to \\hellooo504, but a pop-up said my system can't connect to it.
But it did try. And when it tried, it sent my password hash. Let's go see what that looks like.
Next, let's go back to the Slingshot Linux VM. In the Responder window, we'll see the request and response for the \\hellooo504 system. The victim system replied with its password hash and user ID.
We don't need to copy and paste this info. Responder saves it to a file that's ready for tools like Hashcat to crack.
After stopping the Responder session, we can start cracking passwords with Hashcat. Let's go to the logs directory in /opt/responder/logs.
Start Hashcat and read the password hashes from the file SMB-NTLMv2-SSP-10.10.0.1.txt
to find out the hash type.
Hashcat found both NetNTLMv2 and NetNTLMv2 (NT) hash types. We'll use the password list at /usr/share/wordlists/passwords.txt with mode 5600 for a direct attack to crack the NetNTLMv2 hash.