responder for purple teams - event schedule & …schd.ws/hosted_files/bsidescle16/79/responder...
TRANSCRIPT
![Page 1: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/1.jpg)
Responder for Purple Teams
BSides Cleveland 2016 Kevin Gennuso
![Page 2: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/2.jpg)
Responder for Purple Teams
whoami
Why this talk?
Responder Overview
Related Tools
WPAD Attack
Analyse Mode
Defense
BSides Cleveland 2016 Kevin Gennuso
![Page 3: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/3.jpg)
whoami
Full-Spectrum Cyber Person
Nearly 20 years of this stuff
Advanced Persistent Pittsburgher
3x BSidesCLE speaker (Thanks!)
BSides Cleveland 2016 Kevin Gennuso
![Page 4: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/4.jpg)
Why this talk?
All teams can learn valuable information from this tool
Attacks/Threats
Misconfigurations
Detection
BSides Cleveland 2016 Kevin Gennuso
![Page 5: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/5.jpg)
Why this talk?
My own security tool betrayed me!
BSides Cleveland 2016 Kevin Gennuso
![Page 6: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/6.jpg)
Responder Overview
LLMNR/NBT-NS/mDNS Poisoner
SMB/MSSQL/HTTP/LDAP/FTP/POP3/IMAP/SMTP Authentication Server
WPAD Proxy Server
DHCP Inform Spoofer
OS Fingerprinting
ICMP Relay
Analyze mode
Under active development
BSides Cleveland 2016 Kevin Gennuso
![Page 7: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/7.jpg)
Poisoner Overview
LLMNR - Link-Local Multicast Name Resolution
Allows name resolution of neighboring computers without a DNS server
Windows Vista thru Windows 10
Linux systemd-resolvd
NBT-NS - NetBIOS Name Service
old school Windows, but still enabled by default
mDNS - Multicast DNS
Apple's Bonjour
Printers, cameras, TiVo/Roku
BSides Cleveland 2016 Kevin Gennuso
![Page 8: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/8.jpg)
Auth Server Overview
SMB - responds & collects cleartext creds and NTLMv1/v2 hashes
MSSQL - looks like SQL Server 2005, collects NTLMv1/v2 hashes
HTTP - looks like IIS, collects cleartext creds and NTLMv1/v2 hashes, serves up wpad.dat
LDAP/FTP/POP3/IMAP/SMTP - cleartext credentials
BSides Cleveland 2016 Kevin Gennuso
![Page 9: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/9.jpg)
SMB Attack Overview
BSides Cleveland 2016 Kevin Gennuso
“Who is \\SERVR?”
“No idea, buddy.”
LLMNR: “WHO IS \\SERVR??”
“That’s me. Here’s my challenge”
“Cool, here’s my NTLMv1/2
response. Let’s party!
![Page 10: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/10.jpg)
Related Tools
Responder for Windows (beta)
Inveigh - PowerShell
Gladius - auto-crack NTLMv1/2 hashes from Responder
Chuckle - auto-SMB pwnage
Finds targets (Nmap), generates payload (Veil-evasion), intercepts SMB connections & delivers payload (Responder, SMBrelay), shell (Metasploit)
BSides Cleveland 2016 Kevin Gennuso
![Page 11: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/11.jpg)
Responder WPAD Proxy
Responds to broadcast requests for WPAD servers
Listens on standard ISA port (TCP 3141)
Grabs cookies and authentication data
HTML injection
EXE interception/replacement
BSides Cleveland 2016 Kevin Gennuso
![Page 12: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/12.jpg)
WPAD Attack
Well-known by pentesters; new to US-CERT
Default IE config = Instant MiTM
“BadTunnel” MS16-077 (CVE-2016-3213,3236)
BSides Cleveland 2016 Kevin Gennuso
US-CERT Pentest community
![Page 13: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/13.jpg)
WPAD Attack Overview
BSides Cleveland 2016 Kevin Gennuso
“Who is WPAD?”
“No idea, buddy.”
LLMNR: “WHO IS WPAD??”
“That’s me. Here’s my wpad.dat”
“Cool, here’s all of the traffic
from my browser. Let’s party!”
Attacker has MiTM
![Page 14: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/14.jpg)
Analyze Mode
Let’s see what could be owned Or systems eager to authenticate
Inventory/CMDB
Patch management
Software deployment
Network Access Control (NAC)
BSides Cleveland 2016 Kevin Gennuso
![Page 15: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/15.jpg)
NAC NAC Joke
Responder: “NAC NAC!” NAC: “Who’s there?” Responder: “Some really weird box.” NAC: “Some really weird box who? Actually, never mind, here’s the username and NTLMv1 hash for a
Domain Admin.”
BSides Cleveland 2016 Kevin Gennuso
![Page 16: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/16.jpg)
NAC NAC Joke
Connected Kali box with Responder in Analyze mode
30 seconds later, received DA username and NTLMv1 response
BSides Cleveland 2016 Kevin Gennuso
![Page 17: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/17.jpg)
PEAK FAIL
A system meant to detect and mitigate rogue devices is sending DA credentials to rogue devices.
Built per vendor’s docs with professional services support
No mention of NTLMv1 in docs
Responder on Linux looks nothing like a Windows domain member.
So why would you ever do that?
BSides Cleveland 2016 Kevin Gennuso
![Page 18: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/18.jpg)
HAPPINESS DENIED
BSides Cleveland 2016 Kevin Gennuso
![Page 19: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/19.jpg)
Use Analyze Mode!
Your security/inventory/asset management tools can betray you
Your endpoints might be misconfigured
Your network might allow ICMP relaying
Ain’t just for pentests
BSides Cleveland 2016 Kevin Gennuso
![Page 20: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/20.jpg)
Analyse @BsidesCleveland
BSides Cleveland 2016 Kevin Gennuso
![Page 21: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/21.jpg)
Detecting Responder
Tell-tale Nmap fingerprint
Can be changed in packets.py
Tell-tale wpad.dat
Also customizable
But only valid WPAD servers should be serving this file
Any endpoint listing on many of these ports is suspect
BSides Cleveland 2016 Kevin Gennuso
![Page 22: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/22.jpg)
Nmap Fingerprint
nmap -A -sS -sU -p T:21,25,80,110,139,389,445,587,3141, U:53,137,138,389
BSides Cleveland 2016 Kevin Gennuso
![Page 23: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/23.jpg)
Nmap Fingerprint
nmap -A -sS -sU -p T:21,25,80,110,139,389,445,587,3141, U:53,137,138,389
BSides Cleveland 2016 Kevin Gennuso
![Page 24: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/24.jpg)
Responder wpad.dat
wget http://responder.host/wpad.dat (or just read Responder.config)
BSides Cleveland 2016 Kevin Gennuso
![Page 25: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/25.jpg)
Responder Defense
Disable “zeroconf” protocols Handy in your house, dangerous in the enterprise.
Disable WPAD
Set explicit proxies if needed
Add a WPAD entry in DNS
Scan for Responder instances
No one should ever serve wpad.dat
SMB Signing (legacy pain)
Monitor and segment your networks
BSides Cleveland 2016 Kevin Gennuso
![Page 26: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/26.jpg)
Disable LLMNR
gpedit.msc
Computer Policy —> Computer Configuration —> Administrative Templates —> Network —> DNS Client —> “Turn Off Multicast Name Resolution” —> “Enabled” Registry: HKLM\Software\Policies\Microsoft\Windows NT\DNSClient
"EnableMulticast" DWORD 0
Source: Stern Security
BSides Cleveland 2016 Kevin Gennuso
![Page 27: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/27.jpg)
Disable LLMNR
BSides Cleveland 2016 Kevin Gennuso
Source: Stern Security
![Page 28: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/28.jpg)
Disable NetBIOS-NS
On a single machine: Network
Interface Settings —> TCP/IPv4/6 —> Advanced —> WINS —> Disable NetBIOS over TCP/IP
Via DHCP: Scope Options —> Microsoft Windows 2000 Options —> Option 001 —> Data Entry = “0x2”
Source: Stern Security
BSides Cleveland 2016 Kevin Gennuso
![Page 29: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/29.jpg)
Disable WPAD
On a single machine: HKCU\Software\Microsoft\Windows\CurrentVersion
\Internet Settings\Wpad —> WpadOverride=1
Disable service: WinHttpAutoProxySvc
Via GPO: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\
Via DHCP: Option 252 —> String Entry = “http://path/to/wpad.dat”
BSides Cleveland 2016 Kevin Gennuso
![Page 30: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/30.jpg)
Disable WPAD
Create an internal and external DNS entry for wpad.domain.com
But first, allow your Windows DNS servers to let you do that
https://technet.microsoft.com/en-us/library/cc995158.aspx
BSides Cleveland 2016 Kevin Gennuso
![Page 31: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/31.jpg)
QUESTIONS?
BSides Cleveland 2016 Kevin Gennuso
![Page 32: Responder for Purple Teams - Event Schedule & …schd.ws/hosted_files/bsidescle16/79/Responder for Purple...HTML injection EXE interception/replacement BSides Cleveland 2016 Kevin](https://reader033.vdocument.in/reader033/viewer/2022051722/5aa78ca27f8b9aee748c3554/html5/thumbnails/32.jpg)
More Info
https://github.com/SpiderLabs/Responder
https://github.com/praetorian-inc/gladius
https://github.com/Kevin-Robertson/Inveigh
https://github.com/nccgroup/chuckle
https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
https://www.nccgroup.trust/globalassets/resources/uk/premium-downloads/whitepapers/local-network-
compromise-despite-good-patchingpdf/
Thanks!
@kevvyg [email protected]
BSides Cleveland 2016 Kevin Gennuso