Poisoned Creds

Find poisoned Creds

Poisoned Credentials Write up.

Intro

In this write up we will be determining malicious network activity utilizing both LLMNR and NBT-NS poisoning attacks are intercepting network traffic. This type of attack is known for exploiting these protocols to intercept network traffic to gain credentials. The tool of choice will be Wireshark as this will enable us to process the associated pcap in the lab.

Setup

To reduce the risk of network compromise, the associated pcap will be examined in a virtual machine running Linux ubuntu. No active network connection will be created as we can work in offline mode within Wireshark to obtain the associated credentials.

Examination

We begin by importing the pcap to Wireshark. Once the pcap has been successfully completed, we will utilize the questions in the lab to walk through the process of obtaining the credentials.

1. The attacker initialed their actions by taking advantage of legitimate network traffic. The IP address provided was 192.168.232.162. So, we look at all traffic coming from that IP address.

a. By using the syntax of ip.src==192.168.232.168

2. Given that the protocol used was NBT-NS we can review 47 to see that NBS was used to send a query for FIRESHAARE. This what was mistyped from the end-user machine.

3. We now need to determine what IP address of the rouge machine is. We know that the FIRESHAARE is the program used to connect to the rouge machine, so we look at the excessive responses to LLMNR queries.

a. Based on the pcap, the IP of 192.168.232.215 shows an excessive number of responses. This was shown by using the syntax of ip.addr==192.138.232.215 && llmnr.

b. Two machines also have received poisoned responses so the second one is 192.168.232.176

4. To determine what user accounts may have been compromised, we need to determine what the username is of the compromised account.

a. What we do know is the IP addresses of the rouge machine, and the other two poisoned machines. So, we need to filter all packets with SMB2.

b. We noticed that is there is a session setup requite NTLMSSP_AUTH so the machine is trying to setup secure connection to a server. By examining the information sent, the network name is cybercactus.local and janesmith is the username.