Overview
Attackers use man-in-the-middle (AiTM/MITM) techniques to attempt to position themselves between two or more networked devices to facilitate follow-up actions such as network sniffing and manipulation of transmitted data. By exploiting features of common network protocols that can determine the flow of network traffic (such as ARP, DNS, WPAD, and LLMNR), attackers can force devices to communicate through systems controlled by the attacker to obtain information such as hashed credentials. Noting that credentials are predominately the key object of value obtained through AiTM attacks, they are largely positioned between a client endpoint and an Active Directory(AD) server.
CAPEC |
---|
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themselves within the communication channel between the two components. |
Types of AiTM Attacks
LLMNR/NBT-NS Poisoning and SMB Relay
Link-Local Multicast Name Resolution (LLMNR) and the previous iteration of the service called NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. The key flaw of the service is that the username and NTLMv2 hash are returned.
Server Message Block (SMB) Relay can also be used in conjunction with LLMNR attacks to utilize obtained NTLMv2 credentials for authentication rather than cracking the hashes offline.
Port | Service |
---|---|
5355 | LLMNR |
137 | NBT-NS |
445 | SMB |
Specific procedures for attacking LLMNR and SMB Relay can be found in the Common Ports and Services sections and the Darkcybe - Responder tool guide. Additionally, Inveigh (a PowerShell version of Responder) is baked into PowerShell-Empire.
Mitigation’s against LLMNR Attacks
Internet Protocol Version 6 (IPv6)
IPv6 is a network layer protocol that was developed and brought into existence in 1998 with the sole purpose of succeeding IPv6. It is generally enabled by default on most Windows systems, even if not actively being used. In Enterprise networks, this could present a significant vulnerability that can be exploited to gain credentials and access networked systems.
The following post contains details on how to perform an AiTM attack on IPv6 using MITM6.
Mitigations against MITM6, WPAD, LDAP, and Delegation Attacks
Techniques
- Explore
- Determine Communication Mechanism: The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.
- Perform a sniffing attack and observe communication to determine a communication protocol.
- Look for application documentation that might describe a communication mechanism used by a target.
- Experiment
- Position In Between Targets: The adversary inserts themselves into the communication channel initially acting as a routing proxy between the two targeted components.
- Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client.
- Exploit a weakness in an encrypted communication mechanism to gain access to traffic. Look for outdated mechanisms such as SSL.
- Exploit
- Use Intercepted Data Maliciously: The adversary observes, filters, or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.
- Prevent some messages from reaching their destination, causing a denial of service.