2024 Security BSides // Scott Thomas

all right can I reset the timer is that possible on here oh there it goes all right hello everybody uh welcome to my first talk at a security conference so I'll do my shot later um and welcome to the only thing standing between you and lunch so hopefully I can uh I can inform entertain and get you out of here to go eat lunch so my talk today I too like to live dangerously going to talk about leveraging AR spoofing in penetration tests kind of a niche topic but uh really I I wanted to share some methodologies and some lessons learned around a uh around a method you a technique methodology uh that we explored for a little while uh during

penetration testing so let's get going there we go okay so first what this talk is not not cutting edge research sorry everybody it's not new technologies it's not a zero day in fact I did the calculation this is a 15339 day uh exploit not dropping any new tools and I'm definitely not recommending that you use this on penetration tests so just to be clear so what the talk is we're going to cover a little bit about uh this ancient protocol that's still in use everywhere we'll talk about how to use the protocol to get adversary in the middle positioning and then some examples of what you can do once you are adversary in the middle and then finally uh going

to cover some of the lessons learned from implementing this technique in real world pent test uh by performing art spoofing so kind of the uh the Genesis of this talk the inspiration of this talk was sitting around thinking man anybody remember ARP spoofing you know just one of those things you realize yeah we used to do this a lot we don't really anymore why not and the answer was well ARP spoofing mitigations they're widely available probably on by default these days and that right there is the enemy of the pentester the word probably making assumptions that then caus you to just not even Explore a particular Avenue of exploitation for years I just ignored ARP spoofing because ARP spoofing

mitigations they're widely available probably on by default well as we discovered not really so who the heck am I uh I got my start hacking when I was a kid War dialing at 300 bod if you know what any of that means then hello old people nice to see you too I got my professional start in the United States Air Force and I have been a uh Focus solely on offensive security Consulting for the about the last 14 years uh currently I am the offensive security team lead at soteria uh we are a cyber security consultancy uh based out of Charleston South Carolina we provide manage detection and response incident response advisory Services uh my

colleague Doug from our advisory team spoke earlier today uh The Advisory team does things like Risk assessments governance risk and and uh compliance and then there's my team the offensive security team if you're not familiar with the term offensive security this is all the uh testing red teaming vulnerability uh management type activities uh so that's what my team does I'm not really on social media uh you can email me if you want or you can find me on LinkedIn so that's who the heck I am what the heck is ARP I'm bringing back uh PowerPoint animations pretty fancy right there it's address resolution protocol all right good talk thanks everyone okay let's uh let's talk more about that

so ARP was introduced uh what was it 15339 days ago in 1982 by RFC 826 that's a pretty low number in terms of of the internet uh but that's when it was uh first defined as a protocol what it is it is a layer three to layer 2 Bridge protocol uh what that means so the network layer to the data link layer uh depending on the model you are using using but in more pler terms it translates IP addresses into Hardware addresses into Mac addresses and I'll give a demonstration of how that works momentarily couple other things about it first thing to note it only works within a network uh broadcast domain or a subnet broadcast domain so your

traditional sl24 uh Network where you have uh 254 available IP addresses if you're in a sl24 which is the most common default uh then you can spoof potentially up to 254 IP addresses if you happen to be in a SL a Network that has your subnet configured to be a sl16 then you can spoof potentially up to 6,550 65534 IP addresses uh but it's only within your subnet that you can spoof other machines or that you can use AR I guess because that's what we're talking about uh important to note there is no authentic ation to AR replies so a message received is taken as authoritative and that's what we're going to leverage and also modern networking

equipment has art mitigations available they go they go by different names depending on the company uh sometimes it's ARP inspection sometimes it's just called ARP mitigations very not clear they don't explicitly say how they are uh mitigating ARP attack um but it doesn't matter because it's usually disabled by default so what is art we have our two machines here machine on the let's see your left the machine on the left wants to find the machine that has the IP address 10.0.0 three it sends out a broadcast message hence the broadcast domain sends out a broadcast message via ARP saying who is 10.0.0 three and and that system replies and saysi am here's my Mac address and then they can

communicate then they can communicate on the uh across the wire on the data link layer on the hardware layer or physical layer yes uh so when we are an adversary that process who is 10.0.0 do3 well we can respond saying we are well when it responds at the same time that can confuse the original uh requester right so it's really just going to take whichever one it receives first as the well that must be Who belongs to 10.0.0 three what we can do as attackers is send gratuitous art messages we don't even have to wait for that request we can just start sending messages across the network saying anyone looking for 10.0.0 do3 that's me

that's me that's me and just keep sending that and uh we're just going to preempt any other messages that come in and so the uh requesting machine is going to start communicating with us as that IP address instead of its intended actual Target so we send those gratuitous art messages and it's cool with that sets up our communication and then we can do the same thing uh to spoof the other machine and now we are adversary in the middle so we're adversary in the middle let me just tell you how we have been getting that what tools we've been leveraging in order to do that there's quite a few tools out there I think the original

might have been can enable if you're familiar with that uh there was one called ARP spoof kind of obvious what that one does erer cap then the revision of er cap that was better cap and then the latest better cap uh which is still called better cap I call it better cap 2 CU it's pretty revised uh that's what we're going to focus on is better cap 2 or just call it better cap so the first thing to do with better cap is to uh so I like to create a caplet file and so that just a little bit of how uh better cap works better cap is kind of a Swiss army knife there's a whole bunch of

different functionality in there you start it up and then you interact with it to uh tell it what you want it to do by issuing commands to it right I mean bring straightforward it's it's program uh we can set up what they call a caplet file that just contains the commands that we're going to issue it uh once it once it starts and it's a way that we don't have to type all of this in um also when better cap is running it can be very noisy and so it could be hard to type because the noise kind of overwrites what you're typing as you're typing it so to set up a uh ARP spoof

what we're going to do is first we're going to set what targets who do we want to tell everyone else that we are in this case 10.0.0 three if you don't set that option it's going to spoof the entire network whether or not that's a bad thing it's up to your risk tolerance as we'll discuss later but if you want to spoof the entire network just don't specify the target um if you want to spoof full duplex to see the entire communication you have to specify that as well as if you want to spoof internal IP addresses you have to specify that so those are the three typical settings there's a couple uh items that we use to

reduce the noise uh that you see in better cap but not necessary um and then finally you start this start the ARP spoofer uh start the net sniffer start the net prober um so that's what we're telling better cap to do so then to actually use that capet file what we'll do is will run better cap we'll specify which interface to run it on uh at the end there you can see we're specifying the uh the caplet and then the middle there that eval set net sniff output uh test pcap this is a Nifty thing you can do is just all the traffic that better cap is is seen just write it to a pcap file which is great

for uh further analysis later when you're done ARP spoofing Okay so now what we're adversary in the middle awesome nice ruy Vibes going on there between the systems uh let me give you a couple examples of some of the things where we have found value interesting things uh it's adversary in the middle and this you know honestly these aren't limited to ARP spoofing and if you've ever uh done any of the adversary INE middle attacks uh AIT tm6 or um you anything like that you can do these things there too but this talk is about ARP spoofing so uh file interception I mentioned that pcap that you capture while you're doing your ARP spoofing so you open that up and you may

or may not be able to see uh in the back there but via the SB protocol somebody was transferring a file called password.txt and we can see it being transferred across the wire wire shark this is wire shark if you're not familiar uh wire shark Network anal pcap analysis tool conveniently will let us just export any objects that were transferred over SMB so you can run your ARP spoof for a while then go back open that peap and just go export any of the files that were in there in this case we could see that password.txt file um this is in our lab but this is we have captured credentials that way uh users make poor choices which is what we

are looking to leverage here they don't think they're making poor choices because in this case this might be them on their workstation connecting to a file share that they only only they have access to they you know they're the only ones authorized to access that particular share but because we're adversary in the middle we're seeing that file transfer and we're grabbing that that information okay what else can we we can do we can obtain n M version 2 hashes so in that pcap if we see the uh ntlm uh SSP off that's the what the packets are called for ntlm version 2 authentication in that packet we there's enough information there's seven bits of information some not being shown here

that you can use to Recon reconstruct ntlm version to Hash that you can then take offline and try to crack it right to get their PL text password so this is occurring anytime a user is doing something like authenticating tmb or other other services and we are capturing those hashes uh another you know rather than reconstruct directly from wire shark because it's kind of a pain because you got to copy and paste a bunch of stuff I like to use a tool called peeds that it just grabs those out of uh the pcap for me and then we can take that and crack it SNMP Community string simple Network management protocol uh if you're not

familiar this a protocol that can be used to configure network devices um and it instead of pass well it uses a different name for passwords but for the its passwords it uses Community strings and when this protocol was first put out there and then when it was renewed in version two uh it used default Community strings so um everywhere you know when you got a device it would have SNP configured and it would have public as the default readon Community string and private as the default read WR Community string again passwords that's the only form auth of authentication that it uses well those are transferred across the wire in plain text so you can capture

those now most of the time if it's public and private you don't really need capture capture those you can just guess it but if the organization went through the trouble of changing the community string well you can go through the trouble of getting that Community string from The Wire and then you can go in and make changes to their configurations via SNMP potentially SNMP version 3 actually introduced authentication for SNMP so it finally caught up however um the password that are transmitted across the wire they're hashed but they can be Brute Force like anything else um I mainly mention that just because I want to give myself a Shameless plug a few years ago I wrote a brute forcing tool

for SNMP version 3 just for funsies and you can find it on my GitHub but when you're seeing SNMP in a pcap for example right there highlighted in blue you can see Community public okay if it was you know super secure password one exclamation point etc etc we would still see that if the system admins made poor choices and have you they use the same password for all administrative functions and including SNP version two well now you have a password that you can spray across the network and try to get further access to other systems uh this one's fun getting Microsoft SQL credentials this technique um basically takes advantage of uh some of the Microsoft

SQL authentication uh flow so in this case we have our adversary in the middle and we're going to uh we're sitting in between a client a SQL client and the Microsoft SQL database so the SQL client sends a pre-log pre-login uh request to the SQL Server which we intercept uh and in this case it's saying for this for this uh Communications encryption is off the options for that message are encryption off which means there's no encryption uh encryption on which means encryption is available but it's off by default unless you tell me to turn it on uh and then there's encryption required which is I will only talk to you if it is encrypted so they send the message saying I want

to start uh connection with you encryption's off we pass that on to the SQL Server saying encryption off no changes the SQL Server response says well actually if you want to talk to me encryption is required great well we don't like that so we're going to change that and the uh so that the response is encryption isn't supported and the client will then say oh great well here's my credentials so how we leverage that at this point we have our um we have our ARP spoofing running and we are uh spoofing both ends of the communication so we put in an IP table rule to uh route any traffic to the Microsoft SQL Port uh 1433 we'll

route it to a Microsoft SQL uh capture tool that in this case we're using the one from uh met exploit and just sits there as a listener and it does that whole downgrade process for us and then uh as clients try to connect to the server it'll downgrade the uh connection and provide us with the credentials so again that's a password that we can use well first of all to log into the SQL server and hopefully they've made poor choices uh in terms of you know how they are configuring their uh user accounts but then also that's another password we can use to spray across the Network okay the fun part the really fun part about ARP spoofing is ntlm relay x

uh this is a a very common tool ntlm relay X takes uh ntlm authentication requests and relays it to targets that you specify okay um I'm not going to go into the details of that probably because I'll explain it poorly and uh it's not really important for this talk just know that we are relaying ntlm authentication request to uh other systems of our choice and I like to configure it so that uh with ntlm relay X as it is relaying those uh connections to other systems then we can create a socks listener or a socks connection that we can then use later to interact with that session that uh it would open to our victim Target

so the typical the typical kind of workflow for ntlm Rex is if you've ever heard of a tool called responder which is a um local host name resolution Proto uh uh interception tool basically uh typically you will try to redirect uh ntlm authentication requests to our anlm relx listener and onwards to our victims in this case we're just going to uh we're going to run it and I'll explain these in just a second but then uh we will also similar to with the um with the last one we're going to force all Port 445 traffic to our anamar relx SMB server okay so every NTM authentication request that comes across the wire as we're AR spoofing is going to be forc NM

Rel X and then off to our targets so uh in just background of the command we're running for NTM relx uh first we specify a list of targets these are all the systems that we are going to try to authenticate to using the intercepted authentication request the key here is these typically have to have SMB signing uh not required so if anybody out there is system administrators or Defenders require SMB signing configure SMB so that SMB signing is required because that just completely Cuts this off for us but by default SMB signing is not required uh on systems other than domain controllers I believe so that's those are the ones we're going to Target we're going to

we're going to scan the network and look for any system that doesn't have it required and we're going to put that in our targets list we're going to tell the tool to open socks connections proxy connections we're going to want to support smb2 uh the DW flag it took me a little while to to learn about this flag but as this tool is running we'll just leave this tool running for for you know much of the engagement um if we make updates to our targets. txt the DW uh flag will it'll uh update the proxy connection without having to restart um or excuse me update the targets list without having to restart inlm really X

and then we can tell it to write a file of any hashes nt1 version 2 hashes that it it sees it'll write a file of those and uh loot is anything else that is Juicy that intercepts during the process okay so you start ntlm relx you force all the traffic uh that's going from 445 to your ntlm relx SMB listener and so uh in this case I connect uh I I connect to you know a SMB server that uh has been ARP spoofed and my connection is then used to also connect to all of the Targets in the Target list which I happened to be admin on uh and now I have admin access to all of those

systems that's local admin so uh we can take that socks connection and we use proxy chains we uh pass that socks connection to SMB exec which is a SMB uh console interactive semi-interactive shell uh we don't need a password because we already have the the nlm relx is holding open our connection and that's what we're going to use uh so then we connect to the Target system and because I'm admin it executes as anti Authority system and we own that box can also uh same process pass the socks connection to secret stump uh if you're not familiar with SMB exec or secret stump they're part of the impacket tool set which is a uh very

handy tool set especially when doing things like GARP spoofing uh but in this case secret stump what it does if you have the appropriate level of authentication uh it just connects to the uh Target machine and it dumps things like local user hashes it any cache domain logins um sometimes Services service counts the passwords are uh they're not stored in plain text but they're encoded in the registry they can be uh unencoded they may be encrypted I'm not going to get into the Nuance but either way you can see them plain text uh in certain certain situations so very handy tool so typically we will one start to crack the um start to crack the hashes because

it's useful to have the plain text we'll also so spray that hash across the network to see where you know is local administrator password being used on every machine uh that sort of thing uh we'll also try to crack domain users uh the uh cach domain logins those are dcc2 hashes very slow to crack so unless they you know made poor choices it's hard to crack those but it is possible so always worth trying uh but then of course we're going to see what privileges that service count has uh very commonly it has too many Privileges and is a domain admin or some high privileged user account uh so we'll just leverage that all right so that's just some

examples of some of the fun things that we can do as adversary in the middle in this case with ARP spoofing what could possibly go wrong that's uh yeah that's the question right so uh minor the client says hey our teams meetings are are keep dropping one of the options that you can do uh with better cap is you can start uh SSL stripping to try to see uh the traffic that's going across over um you know maybe https uh that does have an impact on teams meetings uh as you know we found out and stopped SSL stripping um but you know that's not too bad we don't want to yeah it's not too bad uh or sometimes

hey we can no longer access any of our VMware based systems yeah I mean things can go wrong um the thing to remember systems can behave unpredictably during pen tests so you know it it's yeah if you AR spoof every IP in the subnet you're multiplying your potential for issues EXP itially uh however you know also ARP spoofing the Gateway can also cause issues because you're then effectively AR spoofing all traffic um especially when testing remotely if you are a pen tester who tests remotely and you send your clients a small form factor PC or a virtual machine and you start running ARP spoofing and something happens in the network and now you can no longer

remotely connect to your system and your system is just happily ARP spoofing away and you now have no way to kill it then you have to have that awkward call with the client as hey we need you to go unplug our machine uh so there can be issues here okay so a couple of the takeaways from our experience leveraging this in real world pent test it's the easy button so you know there's the situations where you're kind of banging your head against the wall I've been working in this environment for the last week and have gotten nowhere there's no further footholds or anything like that uh we had we had one of the folks on my team testing a client the

client was locked down started running ARP spoofing in combination with ntlm relay ACC and managed to get access to uh quite a few systems like within seconds of starting that ANM relay X so it is the easy button that's true for any adversary in the middle positioning uh but you know the easiest of e buttons is when you are ARP spoofing the entire network because you are seeing all the traffic across the network there's a lot more uh stuff to choose from not always the best choice though so I got a little enthusiastic writing this bullet that every engagement where we used it resulted in domain admin that is not true every engagement resulted in

some sort of privilege escalation um usually domain admin three out of 20 engagements that we tried this on reported network issues that's great 85% success rate right that's bad 15% failure rate so what kind of network issues you know it it really it varied when when they happened we could not predict problematic networks we could not really figure out why failures were occurring when they occurred other than ARP is definitely interfering with something uh something critical right and so uh you know we found that some virtualized networks if we're on a VM tolerate ARP spoofing no problem we found some virtualized networks did not like ARP spoofing at all so you know kind kind of

a learning process there working with the clients to try to try to figure out how to uh effectively you know employ this in their Network um one weird thing ARP spoofing all Targets on a sl6 so again what was it 65,000 something uh IPS the client didn't even notice anything there's no issues whatsoever so uh also that's a bit problematic you know that they were configuring their networks to be a/6 as opposed to segmenting it down into smaller uh subnets but that's not the point of this talk uh but so again it it's felt a little arbitrary sometimes of what was causing issues versus what wasn't in terms of uh client Network configurations um definitely figured out that ARB

spoofing from a physical device was more reliable than uh from a virtual machine and here's the rub this is this is the the problem with uh ARP spoofing with adversary in the middle in general pentesters want the win right we're being paid to win we're you know we we want to get domain admin but we also don't want to take down client networks I don't want to have the call with the the you know the client contact with the CEO with you know anyone from the client side explaining what happened to their Network so then the big question is it worth the risk also get it it's the big question because the fonts all right whatever uh

so but is it worth the risk and that is the question and that's for you and your clients to decide when trying to figure out if you want to try ARP spoofing so we developed some tips uh or some you know some guard rails around ARP spoofing one of course is to let you know you should be communicating with your clients as a pen tester and let them know what you're going to do um you we don't always tell them exactly what we're going to do but this is one that if we're going to employ ARP spoofing we're going to have a conversation with them explain what we're going to do why we're going to do it and uh you know the

potential risks avoid the temptation to Target all IPS in the subnet I know I keep mentioning you know that you know that you can and you know that we have and we we got away with that not many issues but you really should be targeting specific systems with ar spoofing you know do all your enumeration figure out what's what rather than just get blanket access to the network traffic again it's the Easy Button if you have access to the network traffic you can you know figure everything out um but Target your attacks use the timeout command so in those cases where you start art spoofing and now you can't access your system to kill it the timeout command will save

you so we run the timeout command for to to kill the ARP spoof after 1 to 5 minutes uh for those of you who aren't familiar with timeout this is a standalone binary in Linux systems so you do timeout five minutes and then your command that you're going to run so if the command is still running after five minutes it just it just kills it and this is the backup if for some reason you lose access to uh the system doing the ARP spoofing it's going to kill it and the thing to note about uh ARP spoofing when we're sending all those GR us art messages and we're just bombing the network with messages D to

direct traffic to us the second we stop that the network just this is too definitive but I'm going to say it anyways the second we stop that the network goes back to normal and everything works perfectly again usually there's some caveats there but uh but generally speaking if we're not sending those gratuitous art messages then normal AR Communications is going to resume and systems will be able to begin talking to each other again as normal oh I keep hitting the laser all right well uh let's see so avoid AR spoofing and virtualized networks is really just not worth you know the the risk of doing uh and then mitigations so you not everybody in here's pentester uh some

people are on different sides of of the uh of the screen there so you know let's talk about mitigations um it's not really a satisfying answer so first of all standard adversary in the- Middle mitigations apply use secure protocols SS yeah SSH HPS s SMB version 3 will prevent that uh file interception or can prevent it depending on how you have it configured but it'll prevent that file interception SNMP version three again uh harder to capture those plain text passwords uh use keros for window Windows authentication things are moving that way and that's not to say there aren't attacks uh on keros but you know and what we are doing with this process at least is leveraging ntlm uh for the

most part Implement art mitigations on networking equipment so again they don't really say how they're mitigating it or what they are doing um we had a client who turned it on and sent me a message saying yeah we turned that back off because it took our entire network down when we turned on Art mitigations okay well don't know what to tell you in that case uh you can also Implement static RP static ARP tables and what this is is just manually defining the this IP address equals this Mac address uh you can set that up for critical systems it is a lot of work to do and if any changes in the network happen happen then you have to you have

to modify that but you can you can specify to systems what is what so that they don't listen to those gratuitous art messages hey anybody remember IPv6 and how that was going to change the world so IPv6 has secure neighbor Discovery protocol which is their version of ARP and it supposedly does that securely does uh the translation securely um there are a few attacks from what I've read I've never tried them so I'm not going to talk about them but you know it's not a perfect protocol uh but IPv6 does have mitigations natively against uh AR spoofing well arp's not even in there so um or you know you could always just accept the risk of ARP spoofing you

know it's a bit problematic because ARP should be very easily detectable I mean it even should be it is just monitor the network and look for a lot of art packages you know above and beyond the normal but I don't think people are really monitoring for ARP spoofing it's it's a sort of Niche um so the the client up there uh who turned on Art mitigations and then dropped to you know had that crashes network uh came back to me and said we're we're accepting the risk said okay great well that's that's your choice however just yesterday weirdly um I heard from our team that uh he went back and tried again and they sorted out all

their issues and in this year's pen test they had a different uh pen tester in there you know get a different set of eyes on on the environment they had a different pentester in there and this this was one of those clients that you know we were in there banging our heads against the wall they were locked down couldn't get anything we finally implemented or used AR spoofing got one little nugget of information that we were able to then you know leverage into uh more and more access uh until we won um this year's pen tester apparently just gave up and so I think that's pretty cool he actually went through the trouble of uh implementing those heart

mitigations and figuring out why they weren't working and it made the pen testers job harder which again as a pentester I hate that uh for my client I love that so yeah so that's uh the mitigations aren't great there's no one single easy answer um so yeah that's when we're going to leave it at that so that is our spoofing any

questions there we go all right just a quick question about the mssql downgrade attack you any any um client side mitigations for being able to downgrade to encryption not required yes so um with uh sorry I only sort of heard the question but it's what are the mitigation the client side mitigations for the downgrade is that yeah uh so you have to configure the the mssql clients to send that encryption required message so you have to require encryption on both ends of the communication stream otherwise there's just too much leeway uh in there so that the client has to start the conversation with encryption required the server has to respond with encryption required and at that point uh

you're you're good to go if the client goes with the encryption on which is what I typically see is that encryption is available but not on um then yeah it's it's it's kind of a leading setting so yeah always require that encryption question I stole five minutes from you Scott I apologize I pushed your uh your talk a little bit late are there any more questions for Scott before we break for lunch yeah great all right you said do not um try to spoof the hole in that Network try to choose one IP right CU um it will probably crash the network other than crashing the network which is what hackers want sometimes they don't mind

if the whole thing crashes um what could they try to obtain um by running it across the whole network um instead of just one IP other than crashing which is obious yeah so um when you run it it when you run it against the whole network you're seeing all the N the Network's traffic but the the thing that I forgot to mention I apologize um is I mentioned that this you know AR spoofing only works within the broadcast domain right but if we're spoofing the Gateway we are seeing all traffic from every asset on that subnet to anything elsewhere right so if the domain controller the file server or something else is in a different subnet it's okay

we're still going to see that traffic so when you cast a wide net by ARP spoofing the entire network you're seeing every transaction you know every file upload download to the SB server or every authentication well not to the domain controller uh but you know authentications to uh different services that might be elsewhere you're just kind of again it it's it's a wider net so increasing your chances of finding something sensitive uh that you can then leverage for other uh other exploits is that answer your question yeah no problem and one last question before we break anyone