Man-in-the-Middle attacks & Cyanide

What does Cyanide do?

Cyanide utilizes an opportunistic attack and combines Impacket’s ntlmrelayx.py along with poisoners (e.g. Responder) in order to correlate:

  • Who
    • Cyanide will provide information of who the user or service account was that was captured
  • What
    • What method of poisoning was used (LLMNT/NBT-NS/MDNS)?
    • What resource was requested (e.g SMB share, SQL database, etc.)?
  • Where
    • Where was the credential used?
    • Where was the source?
  • When
    • Date/timestamp of each event will be available:
    • When the host was poisoned
    • When the hash was captured
    • When a relay attack happened
  • Why
    • With the combined data, you will be able to tell why this attack happened and why it was successful.

Meaning, Responder will poison a host over LLMNR, then the poisoned host will reach back via whatever protocol the broadcast was for (e.g. SMB, RDP, MSSQL, etc.).

  • If the protocol is NOT SMB or HTTP, Responder will simply capture the credential and inform Cyanide of the results. Cyanide will then report this data back to core and an attempt to crack the hash will be made.
  • If the protocol IS SMB or HTTP, ntlmrelayx SMB and HTTP servers will capture the response from the poisoned host, prompt it to supply credentials, capture the credentials and then either save that information to be cracked offline or if relaying is enabled, use the username/hash captured and attempt to login to targets that appear to be high value and dump local credentials. This form of relaying credentials will only work if the target hosts DO NOT have SMB signing enabled.

At the end of an Operation, if Cyanide was successful in capturing a hash and (if relaying is enabled) relaying it, you will be able to see why this happened. Perhaps you have an old service account on a workstation, that is re-using credentials, but the intended network resource no longer exists on the network. This would trigger an LLMNR/NBT-NS event. You will be armed with all of the information needed to find the responsible source host captured from, protocol it was requesting (e.g. SMB), username used, and target service the username and hash was relayed to. Lastly, you can fix the host (applying the appropriate fix action described under the Weakness), and verify by running the same Operation again.

What does Responder do?

Responder is an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answer to File Server Service request, which is for SMB. This tool listens on several ports: UDP/137, UDP/138, TCP/389, TCP/1433, UDP/1434, TCP/88, TCP/135, TCP/139, TCP/21, TCP/25, TCP/110, TCP/587, TCP/143, TCP/5985, Multicast UDP/5355 and 5353.

  • Poisoners
    • LLMNR
      • LLMNR stands for Link-Local Multicast Name Resolution. LLMNR is based on the DNS format and enables computers on the same local network to conduct name resolution of other hosts. LLMNR is unicast, so only the device that sent the request will see the reply.
      • Server port UDP/5355
    • NBTNS
      • NBT-NS stands for Network Basic Input/Output System Name Service. NBT-NS is often referred to as its base application programming interface, NetBIOS, for short. The NBT-NS protocol is used similar to LLMNR, except it utilizes hosts on the network by their NetBIOS name and will ask the receiving machine to disclose and return its current set of NetBIOS names. NBT-NS can utilize broadcast, unicast, or multicast.
      • UDP/137
      • UDP/138
    • MDNS
      • MDNS stands for Multicast Domain Naming System (DNS). MDNS replies are sent over multicast so that everyone can see them and keep their local mDNS cache up to date.
      • UDP/5353
  • Servers
    • MSSQL
      • TCP/1433
      • UDP/1434
    • RDP
      • TCP/3389
    • Kerberos
      • TCP/88
    • FTP
      • TCP/21
    • POP
      • TCP/110
    • SMTP
      • TCP/25
      • TCP/587
    • IMAP
      • TCP/143
    • HTTPS
      • TCP/443
    • LDAP
      • TCP/389
      • UDP/389
    • DCERPC
      • TCP/135
    • WINRM
      • TCP/5895
  • NTLM Relaying

NTLM Authentication is a challenge-response based protocol. Challenge-response protocols use a commonly shared secret, in this case the user password, to authenticate the client. The server sends a challenge, and the client replies with the response on this challenge. If the challenge matches the one calculated by the server, the authentication is accepted.

After a host is poisoned and the hash is captured, if relaying is enabled, the username/hash combination will attempt to login to the target hosts over SMB. In order for this attack to be successful the target host must not have SMB signing enabled. Upon successful login, a follow on attack will occur and attempt to harvest local usernames and hashes from that target.

  • Servers
    • HTTP
      • TCP/80
    • SMB
      • TCP/445
  • Attack
    • SecretsdumpA secretsdump is an action performed against a target machine that will attempt to dump the Security Account Manager (SAM) on Windows hosts. If successful, a list of username/ntlm hashes will be harvested and can be used with tools such as Crackmapexec in order to pass the hash and access other hosts within the network.NOTE: SAM dumping can only occur if the user has administrative credentials. A non-privileged user may be able to login, but the default action Cyanide uses of dumping SAM cannot be achieved. However, this does not mean you don’t have to worry about it. Other actions can be utilized to gain access to the host and potential privilege escalate to an administrative user.
  • Where does it work?Since Responder works by capturing broadcast packets, capturing requests in different networks is not possible and therefore, Cyanide will only work within the network it resides in.Based on the location of NodeZero, that is the subnet that will be poisoned. Two ways Cyanide uses scope:

    Scenario 1: No scope is specified OR if the scope of the NodeZero host subnet is specified

    • Scope defaults to the full subnet of the NodeZero host to poisonExample 1
      NodeZero host subnet: 192.168.0.0/24
      Scope: **Auto-Expand**
      

      Cyanide will get a scope of 192.168.0.0/24 because no scope was specified and poisoning can only happen within the network of NodeZero. Relaying will occur against high value targets that are discovered during host discovery and have SMB signing disabled.

      Example 2

      NodeZero host subnet: 192.168.0.0/24
      Scope: 172.16.100.0/24, 10.0.0.0/16, **192.168.0.0/24**
      

      Cyanide will get a scope of 192.168.0.0/24 because the specified scope contains the subnet of the NodeZero host. Relaying will occur against high value targets that are within the scope specified and have SMB signing disabled.

    Scenario 2: Scope of the NodeZero host is within the whitelist, Cyanide will get that as its scope

    *Example 1*
    ```
    NodeZero host subnet: 192.168.0.0/24
    Scope: 172.16.100.0/24, 10.0.0.0/16, **192.168.0.0/30**
    ```
    Cyanide will only poison hosts within the 192.168.0.0/30 subnet because it falls within the NodeZero hosts subnet.
    Relaying will occur against high value targets that are within the scope specified and have SMB signing disabled.
    

Summary

At the end of an Operation, if Cyanide was successful in capturing a hash and (if relaying is enabled) relaying it, you will be able to see the full path of exploitation.

Perhaps you have an old service account on a workstation, that is re-using administrative credentials, but the intended network resource no longer exists on the network. This would trigger a poisoning event, capture the hash, relay it, and potentially dump the local usernames & hashes on a target host. There is also the potential that the captured hash or dumped hashes derive from a weak password and could be cracked. In both cases, the potential for host and/or domain compromise is high, resulting in unauthorized access to your data.

Poisoning and relaying is enabled by default within the Advanced Configuration menu under Man in the Middle AttacksAdvanced Configuration - MITM