Hijacking Attacks

In a hijacking attack, an attacker pretends to be a legitimate system by responding to service requests, like name resolution. This can involve methods like Machine-In-The-Middle (MITM) attacks or simply observing requests on the network and sending fake responses. A key tactic is to exploit weak protocols like Link-Local Multicast Name Resolution (LLMNR), trick victims into thinking they’re connecting to a real server, and capture their authentication credentials.

The image shows an attack example where a victim sends a multicast LLMNR message on the network asking for "sevrer01," a typo that won't resolve with DNS. All workstations see the request but don't reply. The attacker responds, pretending to be "sevrer01" with their IP. The victim then connects to the attacker and sends an authentication request using their password hash, which the attacker can use to crack the password.

This vulnerability isn't just in LLMNR; it's also in mDNS and other name resolution protocols that don't have authentication. The tool Responder can exploit this. In networks with many Windows 10 clients, an attacker can use Responder to respond to LLMNR requests and pretend to be a Windows SMB server. When a victim tries to connect to this fake server, their credentials are sent to the attacker, who can then crack the passwords.

Responder Starting

sudo /opt/responder/Responder.py -I eth0

Next, we'll see how an attacker can use Responder to exploit the LLMNR protocol. We'll use Linux for this example, but Responder can also run on Windows with Responder-Windows by Laurent Gaffie.

To start Responder, run the Responder.py script as root. Use the -I option to set the target interface. You can also use the -i option with another attacker's IP address to get SMB requests from a different subnet or outside the network.

Responder Capture

[*] [LLMNR] Poisoned answer sent to 172.16.0.248 for name SEC504SERV
[SMB] NTLMv2-SSP Client : 172.16.0.248
[SMB] NTLMv2-SSP Username : WIN-JCBHO1SDACI\User
[SMB] NTLMv2-SSP Hash : User::WIN-
JCBHO1SDACI:1122334455667788:DE6CEE3A26E3E46528E8A23B893A70DA:01010000000000
00CD7DBC110EDCD4013951AEBE249BAD360000000002000A0053004D0042003100320001000A
0053004D0042003100320004000A0053004D0042003100320003000A0053004D004200310032
0005000A0053004D004200310032000800300030000000000000000100000000200000FAFF3B
976F86432304612AE599544B7EFC9A986B69D4BDABAE5C5AEC9AA258160A0010000000000000
000000000000000000000009001E0063006900660073002F0053004500430035003000340053
004500520056000000000000000000
[SMB] Requested Share : \\SEC504SERV\IPC$
[*] [LLMNR] Poisoned answer sent to 172.16.0.248 for name SEC504SERV
[*] Skipping previously captured hash for WIN-JCBHO1SDACI\User
[SMB] Requested Share : \\SEC504SERV\IPC$
[*] [LLMNR] Poisoned answer sent to 172.16.0.248 for name wpad

When a user asks for a service but doesn't get a response to the hostname, Responder will send back the attacker's IP address. This tricks the user into connecting to the attacker's service, which may reveal NTLMv2 authentication hashes. The NTLMv2 hash from this attack is based on the victim's password but isn't the same as the actual password hash. However, it's still useful for password cracking tools like Hashcat or John the Ripper, as we’ll demonstrate in the lab.

Defenses

To protect against Responder and LLMNR attacks, turn off LLMNR on servers and workstations. It used to help small groups use names without a DNS server, but it’s not needed much anymore.

You can turn off LLMNR using Group Policy by going to Computer Configuration | Administrative Templates | Network | DNS Client and enabling "Turn off multicast name resolution." You can also disable it with the Local Policy Editor or by editing the registry.

Disabling multicast name resolution with group policy doesn’t turn off Windows support for multicastDNS (mDNS). This means attackers can still interfere with name resolution on the LAN. While LLMNR is often not needed, mDNS is commonly used for services like finding printers and connecting devices like wireless displays and speakers. Microsoft suggests using a Windows Defender firewall policy to block incoming mDNS traffic, but be careful, as it might disrupt other system features.

Broadcast name resolution can allow attackers to manipulate clients. The biggest risk is when an attacker pretends to be an SMB server, stealing the victim's username and password hash because SMB lacks strong security. To reduce this risk, upgrade to SMB 3.1.1 or later using group policy.

Lab 5.3: Responder Attack

In this lab, we will use both our Slingshot Linux VM and the Windows 10 VM.

First, let’s check the connection between Linux and Windows.

ping -c 2 10.10.0.1

Test-NetConnection 10.10.75.1

Let's go to the /opt/responder directory, then run Responder with sudo and the specified options.

sudo responder -I eth0 -i 10.10.75.1

Let's go back to our Windows VM, then open File Explorer and type a fake server name (like \\hellooo504) in the location bar to try to access it.

I tried to connect to \\hellooo504, but a pop-up said my system can't connect to it.

But it did try. And when it tried, it sent my password hash. Let's go see what that looks like.

Next, let's go back to the Slingshot Linux VM. In the Responder window, we'll see the request and response for the \\hellooo504 system. The victim system replied with its password hash and user ID.

We don't need to copy and paste this info. Responder saves it to a file that's ready for tools like Hashcat to crack.

After stopping the Responder session, we can start cracking passwords with Hashcat. Let's go to the logs directory in /opt/responder/logs.

Start Hashcat and read the password hashes from the file SMB-NTLMv2-SSP-10.10.0.1.txt to find out the hash type.

hashcat --identify SMB-NTLMv2-SSP-10.10.0.1.txt

Hashcat found both NetNTLMv2 and NetNTLMv2 (NT) hash types. We'll use the password list at /usr/share/wordlists/passwords.txt with mode 5600 for a direct attack to crack the NetNTLMv2 hash.

hashcat -a 0 -m 5600 SMB-NTLMv2-SSP-10.10.0.1.txt  /usr/share/wordlists/passwords.txt