The document discusses two common internal network attacks - LLMNR spoofing and SMB relaying. LLMNR spoofing takes advantage of the unauthenticated nature of LLMNR to respond to name resolution requests as the target machine, allowing collection of password hashes. SMB relaying modifies and relays SMB packets to establish an authenticated connection and execute commands. The document provides demonstrations of these attacks and recommendations for mitigations like disabling vulnerable protocols, network segregation, and password security best practices.
2. What are we going to cover?
▪ Two common internal network attacks.
▪ Prerequisites are enabled by default.
▪ Performed from an unauthenticated internal perspective.
▪ Allows an attacker to quickly gain a foothold.
3. What is LLMNR / NetBIOS-NS?
Link Local Multicast Name Resolution
NetBIOS-Name Service
Both are used to resolve the IP Addresses of neighbouring computers.
9. LLMNR / NetBIOS-NS
Which will send a multicast request out to the network.
Are you the host I’m looking for?
10. LLMNR Spoofing
▪ This process is unauthenticated and broadcasted to the whole
network.
▪ Therefore, any machine on the network can respond and claim to
be the target machine.
11. LLMNR Spoofing
▪ A classic that still works today, due to low awareness.
▪ Enabled by default in Windows.
▪ Vulnerability assessment tools flag it as Informational
12. LLMNR Spoofing
The attacker will simply respond to these requests, pretending
(spoof) to be the requested machine!
I’m the host you are looking for.
13. LLMNR Spoofing
The victim machine will then send their password hash (Net-NTLMv2)
Here is my password hash!
64f12cddaa88057e06a81b54e73b949b
14. A quick word on hashes
▪ When you choose a password, it isn’t stored in the same way you
type it, it’s stored as a “hash”.
▪ This is a one-way function – you can get the output from the
input but you can’t get the input from the output.
▪ However, we can attempt hashing potential passwords and
seeing if one then matches.
15. Password Cracking
▪ Attempts can be in the tens of millions per second!
▪ There are even online services that have already hashed
common passwords for you.
18. LLMNR/NBT-NS Summary
▪ Enabled by default in Windows.
▪ Cracking obtained hashes is dependent on the complexity of the passwords.
▪ Typically we leave this running in the background while we’re working other
attack vectors.
▪ It’s unlikely to fail, but if it does then we’re not out of options…
19. Service Message Block (SMB) Signing
▪ SMB is a protocol used for accessing shared resources; folders
and printers.
▪ SMB Signing is a feature designed to confirm the authenticity of
SMB packets and to prevent tampering and “man in the middle
(MiTM) attacks”
▪ Signing is disabled by default and only enabled on domain
controllers.
20. SMB Relaying
▪ Exploits this weakness by modifying and relaying SMB packets between
a client and server in order to establish an authenticated connection.
▪ Not a new issue; it was first documented in 2001.
▪ Is still relevant today; even on a fully patched Windows network.
21. SMB - NTLM Challenge/Response
Can I have Access?
Encrypt this with your Password Hash
Here you go
Access Granted
22. SMB Relay Attack Overview
Can I have access?
Encryptthis (X) with your PW
hash
Here is the encrypted
challenge
ACCESS GRANTED!
Can I have access?
Encryptthis (X) with your PW
hash
Here is the encrypted
challenge
ACCESS DENIED!
Executethis command!
24. LLMNR/NBT-NS Mitigations
▪ Disable LLMNR and NBT-NS
▪ Implement network segregation (i.e. VLANs)
▪ Use limited user accounts (Principle of least privilege)
▪ Check your organisation’s password policy (mininum length,
complexity, etc)
25. SMB Relay Mitigations
▪ Enable SMB signing on all devices where possible.
▪ Please note this can have a performance impact.
26. Next Steps
Infrastructure Testing
The principal aim of infrastructure testing is to highlight where vulnerabilities exist in
computer systems that could provide unauthorised access or serve as an entry point
into private areas of the network and to sensitive data.
Infrastructure testing applies in manyareas including internal, perimeter, and cloud. It also applies
to many technology areas from PCs and laptops to smart phones and Wi-Fi networking. From a
hacker’s perspective each area represents anopportunity to attack, opportunities that canbe
minimised by reviewing your security in the same way you would your buildings or physical assets.
Infrastructure testing canbe deployed as astand-alone exercise to provide
acomprehensive view of the vulnerabilities andassociated exploits or canbe used
as an element in awider simulated attack including web application, social engineering andphysical
access assessments.
Contactus on 01924 284240, or info@sec-1.com,
for a free scoping exercise and quote.
27. WebApplication Testing
Available to hackers 24x7 and brim-full of data, web applications present
a tempting target for hackers. Our penetration testing relies on the manual
exploitation of vulnerabilities so you get the assessment of business risk
that only an expert tester can provide. Wecombine this with the use of the
best automated tools. All assessments are followed by a comprehensive
report, with both non-technical and technical descriptions, alongside
recommendations for remediation.
Weprovide visibility of risks including:
• Unauthorised access past authentication controls to escalate privileges
• Introduction of malicious code
• Manipulation of the application’s function
• Defacing of the website or causing disruption
• Gaining access to the hosting infrastructure
Contactus on 01924 284240, or info@sec-1.com, for a
free scopingexercise and quote.
Next Steps
28. Social Engineering
Assessments
Social Engineering is becoming one of the most effective means of gaining access to
secure systems and sensitive information. What is more, the attacker requires little to
no technical knowledge. Preventing an attack of this nature requires a very different set
of defences to traditional cyber security defences.
Raising employee awareness
Your best defensive strategy against social engineering is to raise employee awareness and to
educate on good practices. A social engineering assessment from Claranet Cyber Security allows
you to see how susceptible your staff might bewhen presented with anattempt byan attacker to
trick them. The results of social engineering assessments can be used to direct training, create data
handling guidelines and security policies.
Typical social engineering engagements include:
• Phishing & spear phishing campaigns - tricking users via email
• Physical entry - gaining unauthorised access to buildings
• Baiting - tempting users into plugging in USB drives...
• Staff impersonation - in order to obtain information or access remotely
Contactus on 01924 284240, or
info@sec-1.com,for a free scoping
exerciseand quote.
Next Steps
29. Claranet CyberSecuritycontinually invests in hiring the mostexperienced, highlytrained teams
in the industry.Acorepartof deliveringthe bestserviceis ourcommitmentto being fully
accredited across allthe majorstandardsinITsecurity. These include:
Our accreditations