Top five vulnerabilities and how to avoid them: Spoofing
This blog discusses how attackers can gain an initial foothold on a Windows Domain by spoofing common broadcast traffic and performing Man in the Middle (MitM) attacks. It highlights vulnerabilities in default Windows configurations, such as NetBIOS and LLMNR, and the use of IPv6. You'll learn about how attackers exploit these protocols to capture hashed credentials and manipulate DNS queries, ultimately compromising network security.
A very effective method for gaining an initial foothold on a Windows Domain is to spoof common broadcast traffic on the local subnet and perform a Man in the Middle Attack (MitM).
A default configuration on Windows is to have NetBIOS and LLMNR (Link Local Multicast Name Resolution) enabled. When a user attempts to access a network resource, if the resource cannot be found in the host file or DNS server, a NetBIOS/LLMNR request will be produced. This often happens when a user mistypes an address or an application is referencing an old host name that is no longer in DNS. An attacker can respond to these name requests and impersonate the service. Then when a user attempts to login, the attacker obtains a copy of the user's hashed credentials (netNTLM). The captured hash can be subjected to an offline password brute-force attack and will often result in the recovery of the plain text password.
Additionally, many Operating Systems have IPv6 enabled by default and are regularly broadcasting DHCPDISCOVER messages to locate the DHCPv6 server. On networks where IPv4 is being used but IPv6 is not, this provides attackers with an opportunity to host their own rogue DHCPv6 server and respond to these broadcasts with malicious DHCPOFFER messages.
Windows will use the IPv6 with preference over the IPv4 and so once a rogue DHCPv6 server has issued a lease to a device, the attacker effectively has full control over DNS for that device until the lease expires. The attacker can then respond to DNS queries and cause devices to connect to the attacker's IPv6 address instead of the server they were trying to connect to. A common target for spoofing is the Web Proxy Auto-Discovery (WPAD) service which is running by default on a Windows installation.
What to do
Disable IPv6
If IPv6 is not in use it should be disabled network wide.
Disable Windows Proxy Auto detection (WPAD)
Disable the use of the Windows Proxy Auto Detection service on all hosts. If a PAC file is in use, this should be directly configured in the proxy configuration settings via Group Policy.
Disable LLMNR
LLMNR can be disabled estate-wide through group policy:
- Open Group Policy editor: Start -> Run -> gpedit.msc
- Navigate to DNS Client: Local Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> DNS Client
- Set "Turn Off Multicast Name Resolution" to "Enabled"
Disable NetBIOS
Group Policy can be used to set the following PowerShell script to run on boot:
set-ItemProperty HKLM:SYSTEM\HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip\* -Name NetbiosOptions -Value 2