94 - Adversary-in-the-Middle (AiTM)

Attackers use man-in-the-middle (AiTM/MITM) techniques to attempt to position themselves between two or more networked devices to facilitate follow-up actions such as network sniffing and manipulation of transmitted data. By exploiting features of common network protocols that can determine the flow of network traffic (such as ARP, DNS, WPAD, and LLMNR), attackers can force devices to communicate through systems controlled by the attacker to obtain information such as hashed credentials. Noting that credentials are predominately the key object of value obtained through AiTM attacks, they are largely positioned between a client endpoint and an Active Directory(AD) server.

Types of AiTM Attacks

LLMNR/NBT-NS Poisoning and SMB Relay

| MITRE ATT&CK | TA1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Link-Local Multicast Name Resolution (LLMNR) and the previous iteration of the service called NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. The key flaw of the service is that the username and NTLMv2 hash are returned.

Server Message Block (SMB) Relay can also be used in conjunction with LLMNR attacks to utilize obtained NTLMv2 credentials for authentication rather than cracking the hashes offline.

Port	Service
5355	LLMNR
137	NBT-NS
445	SMB

Specific procedures for attacking LLMNR and SMB Relay can be found in the Common Ports and Services sections and the Darkcybe - Responder tool guide. Additionally, Inveigh (a PowerShell version of Responder) is baked into PowerShell-Empire.

Mitigation's against LLMNR Attacks

Black Hills - How to Disable LLMNR & Why You Want To

Internet Protocol Version 6 (IPv6)

IPv6 is a network layer protocol that was developed and brought into existence in 1998 with the sole purpose of succeeding IPv6. It is generally enabled by default on most Windows systems, even if not actively being used. In Enterprise networks, this could present a significant vulnerability that can be exploited to gain credentials and access networked systems.

The following post contains details on how to perform an AiTM attack on IPv6 using MITM6.

Mitigations against MITM6, WPAD, LDAP, and Delegation Attacks

Dirkjanm - The worst of both worlds: Combining NTLM Relaying and Kerberos delegation

Techniques

Explore
- Determine Communication Mechanism: The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.
- Perform a sniffing attack and observe communication to determine a communication protocol.
- Look for application documentation that might describe a communication mechanism used by a target.
Experiment
- Position In Between Targets: The adversary inserts themselves into the communication channel initially acting as a routing proxy between the two targeted components.
- Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client.
- Exploit a weakness in an encrypted communication mechanism to gain access to traffic. Look for outdated mechanisms such as SSL.
Exploit
- Use Intercepted Data Maliciously: The adversary observes, filters, or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.
- Prevent some messages from reaching their destination, causing a denial of service.

Previous66 - SQL Injection Next252 - PHP Local File Inclusion (LFI)

Last updated 1 year ago