Jump to content
Matasareanu

Going further with Responder’s Basic Authentication

Recommended Posts

  • Members

Going Further with Responder's Basic Authentication

There are a good number of situations when we find ourselves abusing the LLMNR and NBT-NS protocols on an infrastructure penetration test, more specifically on an Active Directory setup. These 2 protocols are enabled by default on most of the Windows operating systems. What are they doing is they facilitate the communication between network machines when searching for a DNS hostname regardless if it’s a share, a server or a web hostname.

The overview picture of the attack vector:

  • the victim is looking for a non-existing hostname
  • the DNS server cannot resolve the request
  • we reply and resolve the hostname resolution query
  • we ask the victim for authentication

 

  • Upvote 4
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...