The document discusses two common internal network attacks - LLMNR spoofing and SMB relaying. LLMNR spoofing takes advantage of the unauthenticated nature of LLMNR to respond to name resolution requests as the target machine, allowing collection of password hashes. SMB relaying modifies and relays SMB packets to establish an authenticated connection and execute commands. The document provides demonstrations of these attacks and recommendations for mitigations like disabling vulnerable protocols, network segregation, and password security best practices.

1. Hacking from the Inside
IP Expo Manchester 2019

2. What are we going to cover?
▪ Two common internal network attacks.
▪ Prerequisites are enabled by default.
▪ Performed from an unauthenticated internal perspective.
▪ Allows an attacker to quickly gain a foothold.

3. What is LLMNR / NetBIOS-NS?
Link Local Multicast Name Resolution
NetBIOS-Name Service
Both are used to resolve the IP Addresses of neighbouring computers.

4. LLMNR / NetBIOS-NS
Host A wants to communicate with Host C
Host A Host C

5. LLMNR / NetBIOS-NS
For this to happen Host A needs to know
Host C’s IP Address
Host A Host C

6. LLMNR / NetBIOS-NS
First its local host file and then its local
DNS Cache will be checked.

7. LLMNR / NetBIOS-NS
If this fails, It will then ask the DNS Server.

8. LLMNR / NetBIOS-NS
If this fails, the machine will instead
attempt to use LLMNR.

9. LLMNR / NetBIOS-NS
Which will send a multicast request out to the network.
Are you the host I’m looking for?

10. LLMNR Spoofing
▪ This process is unauthenticated and broadcasted to the whole
network.
▪ Therefore, any machine on the network can respond and claim to
be the target machine.

11. LLMNR Spoofing
▪ A classic that still works today, due to low awareness.
▪ Enabled by default in Windows.
▪ Vulnerability assessment tools flag it as Informational

12. LLMNR Spoofing
The attacker will simply respond to these requests, pretending
(spoof) to be the requested machine!
I’m the host you are looking for.

13. LLMNR Spoofing
The victim machine will then send their password hash (Net-NTLMv2)
Here is my password hash!
64f12cddaa88057e06a81b54e73b949b

14. A quick word on hashes
▪ When you choose a password, it isn’t stored in the same way you
type it, it’s stored as a “hash”.
▪ This is a one-way function – you can get the output from the
input but you can’t get the input from the output.
▪ However, we can attempt hashing potential passwords and
seeing if one then matches.

15. Password Cracking
▪ Attempts can be in the tens of millions per second!
▪ There are even online services that have already hashed
common passwords for you.

16. Passwords Cracking
Password1
8846f7eaee8fb117ad06bdd830b7586c password
64f12cddaa88057e06a81b54e73b949b Password1
7a21990fcd3d759941e45c490f143d5f 12345
a174546f10272f8948a85839c2af2123 Password88
07fed1cc574723d76b5218d8810a9d35 February19
e19ccf75ee54e06b06a5907af13cef42 P@ssw0rd
c4b0e1b10c7ce2c4723b4e2407ef81a2 Password3
3edc4ede6a1f61126580ae6770a6d0de Qwerty321
MATCH
64f12cddaa88057e06a81b54e73b949b
64f12cddaa88057e06a81b54e73b949b

17. Demo

18. LLMNR/NBT-NS Summary
▪ Enabled by default in Windows.
▪ Cracking obtained hashes is dependent on the complexity of the passwords.
▪ Typically we leave this running in the background while we’re working other
attack vectors.
▪ It’s unlikely to fail, but if it does then we’re not out of options…

19. Service Message Block (SMB) Signing
▪ SMB is a protocol used for accessing shared resources; folders
and printers.
▪ SMB Signing is a feature designed to confirm the authenticity of
SMB packets and to prevent tampering and “man in the middle
(MiTM) attacks”
▪ Signing is disabled by default and only enabled on domain
controllers.

20. SMB Relaying
▪ Exploits this weakness by modifying and relaying SMB packets between
a client and server in order to establish an authenticated connection.
▪ Not a new issue; it was first documented in 2001.
▪ Is still relevant today; even on a fully patched Windows network.

21. SMB - NTLM Challenge/Response
Can I have Access?
Encrypt this with your Password Hash
Here you go
Access Granted

22. SMB Relay Attack Overview
Can I have access?
Encryptthis (X) with your PW
hash
Here is the encrypted
challenge
ACCESS GRANTED!
Can I have access?
Encryptthis (X) with your PW
hash
Here is the encrypted
challenge
ACCESS DENIED!
Executethis command!

23. Demo

24. LLMNR/NBT-NS Mitigations
▪ Disable LLMNR and NBT-NS
▪ Implement network segregation (i.e. VLANs)
▪ Use limited user accounts (Principle of least privilege)
▪ Check your organisation’s password policy (mininum length,
complexity, etc)

25. SMB Relay Mitigations
▪ Enable SMB signing on all devices where possible.
▪ Please note this can have a performance impact.

26. Next Steps
Infrastructure Testing
The principal aim of infrastructure testing is to highlight where vulnerabilities exist in
computer systems that could provide unauthorised access or serve as an entry point
into private areas of the network and to sensitive data.
Infrastructure testing applies in manyareas including internal, perimeter, and cloud. It also applies
to many technology areas from PCs and laptops to smart phones and Wi-Fi networking. From a
hacker’s perspective each area represents anopportunity to attack, opportunities that canbe
minimised by reviewing your security in the same way you would your buildings or physical assets.
Infrastructure testing canbe deployed as astand-alone exercise to provide
acomprehensive view of the vulnerabilities andassociated exploits or canbe used
as an element in awider simulated attack including web application, social engineering andphysical
access assessments.
Contactus on 01924 284240, or info@sec-1.com,
for a free scoping exercise and quote.

27. WebApplication Testing
Available to hackers 24x7 and brim-full of data, web applications present
a tempting target for hackers. Our penetration testing relies on the manual
exploitation of vulnerabilities so you get the assessment of business risk
that only an expert tester can provide. Wecombine this with the use of the
best automated tools. All assessments are followed by a comprehensive
report, with both non-technical and technical descriptions, alongside
recommendations for remediation.
Weprovide visibility of risks including:
• Unauthorised access past authentication controls to escalate privileges
• Introduction of malicious code
• Manipulation of the application’s function
• Defacing of the website or causing disruption
• Gaining access to the hosting infrastructure
Contactus on 01924 284240, or info@sec-1.com, for a
free scopingexercise and quote.
Next Steps

28. Social Engineering
Assessments
Social Engineering is becoming one of the most effective means of gaining access to
secure systems and sensitive information. What is more, the attacker requires little to
no technical knowledge. Preventing an attack of this nature requires a very different set
of defences to traditional cyber security defences.
Raising employee awareness
Your best defensive strategy against social engineering is to raise employee awareness and to
educate on good practices. A social engineering assessment from Claranet Cyber Security allows
you to see how susceptible your staff might bewhen presented with anattempt byan attacker to
trick them. The results of social engineering assessments can be used to direct training, create data
handling guidelines and security policies.
Typical social engineering engagements include:
• Phishing & spear phishing campaigns - tricking users via email
• Physical entry - gaining unauthorised access to buildings
• Baiting - tempting users into plugging in USB drives...
• Staff impersonation - in order to obtain information or access remotely
Contactus on 01924 284240, or
info@sec-1.com,for a free scoping
exerciseand quote.
Next Steps

29. Claranet CyberSecuritycontinually invests in hiring the mostexperienced, highlytrained teams
in the industry.Acorepartof deliveringthe bestserviceis ourcommitmentto being fully
accredited across allthe majorstandardsinITsecurity. These include:
Our accreditations

30. For more information
aboutour all our Cyber
SecurityServices please call:
01924 284 240
Or email: info@sec-1.com