One of the common attack vectors for penetration testing is to leverage an attack known as Broadcast Name Resolution Poisoning. Recently, US-CERT posted an advisory about this attack being used externally. Attackers purchased new generic Top-Level Domains (gTLDS) and setup entries for the Web Proxy Auto-Discovery Protocol (WPAD). This is pretty interesting since it’s an old attack used in a new way. Let’s dive into how Broadcast Name Resolution Poisoning is used during internal penetration testing and go over recommendations for how to fully mitigate all forms of attack.
Windows, MacOSX and Linux
An attacker can perform a man-in-the-middle (MiTM) attack against vulnerable systems if they are on the same local network as the victim system (internal network, coffee-shop, airport).
An attacker can perform a MiTM attack over the Internet, if they can register a new gTLD that conflicts with the internal name-scheme and deploy a fake WPAD proxy.
There are a few different variants of the attack, however the basic idea is the same. The attacker configures their system to respond to authentication requests by spoofing name resolution responses. Once a client tries to find a system that doesn't have a valid DNS record, their system will fall-back to a few lesser-known protocols such as NBNS and LLMNR. Basically, the order of operations for how systems are found includes the following order:
A common name that Windows looks for is known as WPAD. This is a location for Windows to auto-detect proxy-settings in Internet Explorer. When the name WPAD doesn’t exist in DNS, attackers have the ability to stand-up a fake server and capture authentication requests. For example, if a user tries to browse to the fileshare or authenticate to a web portal, the domain credentials (or authentication hashes) can be captured if an attack is taking place. The scary part about this attack is that it works with many different protocols (SMB, HTTP, MSSQL, FTP, etc.)
Sometimes we can capture credentials in cleartext (Basic HTTP, FTP or MSSQL). However, most of the time we capture the credentials in NetNTLMv1 or NetNTLMv2. Since these two formats contain a challenge, an attacker can either crack the credentials or replay them a single time.
The new WPAD attack is based on targeting client systems when they are off the internal corporate network (home network, airport or coffee-shop). If the attacker owns the gTLD that is used by the organization internally, then the attacker may receive leaked WPAD (or similar) queries. This is less practical for a pentest but it’s important for organizations to understand the potential risk.
We will demonstrate how easily credentials can be cracked and leveraged to compromise a Windows domain.
We spent countless hours analyzing data from 75 companies, 100 penetration tests, and 450 real-world attacks to discover the top data-driven strategies for information security success. Now enterprise IT leaders can maximize budgets and outcomes by focusing on five fundamental strategies for information security success.
WPAD isn’t the only name that client systems try to resolve. This will depend on the configuration of the clients and the network. We will demonstrate this attack using the name of our lab domain which is CORP.
First, we setup an instance of Gladius which will monitor for hashes and automatically start to crack them for us. Once Gladius is running, we fire-up Responder and wait for victims to try to authenticate. We see the victim is looking up the name CORP and the attacker’s system responds and captures the credentials.
We see that the Administrator user has sent NetNTLMv2 credentials. Gladius will automatically pickup these credentials and start cracking.
As you can see, we have found the Administrator’s password which was ‘Password1!!’. For an external attacker, they can use compromised credentials to access external email portals or the VPN. But for now we will continue to the demonstration in our LAB since we have direct access.
To do this, we use CrackMapExec.
Additionally, we can extract all of the hashes from the domain controller since the Administrator user is a Domain Admin.
The result is a full domain compromise. Defenders should be mindful of this attack. We find it’s highly effective in penetration testing.
To fully mitigate this attack Praetorian recommends that organizations take a defense in-depth approach. Mitigations specific to the new attack vector are highlighted in red below.
This includes implementing the following protections:
Additionally, US-CERT encourages users and network administrators to implement the following recommendations to provide a more secure and efficient network infrastructure: