This is a 3-part series on how nGuard most commonly gains an initial foothold on your internal network, then takes that initial access and pivots through the network to obtain full command and control over systems. These are attacks that are present in over 90% of the networks we conduct internal penetration testing on. This will show you how quickly nGuard or an attacker can take an initial foothold and create persistent access. Some of the systems shown throughout this series will be Windows 7 machines but make no mistake, these are attacks that work in modern day Windows 10 environments.The first video will utilize a tool called Responder. This is a LLMNR (Link-Local Multicast Name Resolution), NBT-NS (NetBIOS Name Service) and MDNS (multicast DNS) poisoner. It will answer to specific NBT-NS queries based on their name suffix. By default, the tool will only answer to File Server Service request, which is for SMB. By responding to these broadcasts, nGuard can impersonate the host being requested and intercept future requests that may contain sensitive information. Through these requests, an attacker will receive the user’s hashed credentials, which can then be taken offline for cracking or used in other attacks.
The image below shows exactly how this works:
Here is the output to the terminal with a user’s hashed credentials:
The video below shows how this first step unfolds:
Stay tuned for part 2 where we will take these hashed credentials and relay them to other machines/systems which will discover other hosts we can gain access to on the network. If you have any questions about this attack or want to see if nGuard can perform attacks like this on your internal network during one of our internal penetration testing assessments please reach out to an Account Executive.