Bypassing LLMNR/NBT-NS honeypot

Abstract

MITRE ATT&CK™ [https://attack.mitre.org/] “is a globally-accessible cognition base of adversary tactics and techniques based on real-world observations” which recommends the Conveigh honeypot [https://github.com/Kevin-Robertson/Conveigh] for detection of the LLMNR/NBT-NS Poisoning and Relay (T1171) [https://attack.mitre.org/techniques/T1171/] attack. This kind of attack is presently 1 of the most popular attack on Windows networks. nevertheless most honeypots utilized for detecting it can be easy bypassed by detecting the honeypot itself.

Outsmarting the smart a.k.a. honeypot detection

When you deploy a honeypot 1 of the most crucial things is to not uncover to everyone in the vicinity that this is actually a honeypot.

Honeypot Conveigh approach is simple, it sends random LLMNR and NBNS requests at random intervals. If individual in the network responds to these random requests, then it is most likely an attacker who wants to spoof specified request, what leads to MITM attack.

In case of Windows strategy a NBNS (NBT-NS, NetBIOS Name Service) query is sent utilizing broadcast address based on your network settings, including mask, so for 192.168.1.0/24 it is 192.168.1.255.

However this honeypot is sending each NBNS query always to 255.255.255.255 [https://github.com/Kevin-Robertson/Conveigh/blob/master/Conveigh.ps1#L295]

> New-Object System.Net.IPEndpoint([IPAddress]::broadcast,137)

AddressFamily Address Port

------------- ------- ----

InterNetwork 255.255.255.255 137

Windows is never sending NBNS queries on that peculiar broadcast address (it means “this network”). You can detect Conveigh honeypot by simply utilizing the following Wireshark display filter nbns && ip.dst == 255.255.255.255.

Another problem is that Conveigh is sending another queries, erstwhile with LLMNR, the another time with NBNS, erstwhile in reality Windows is querying both protocols utilizing the same name and at the same time. If 1 of these protocols will be disabled then Windows will always send a query utilizing only the enabled 1 – it means that actually there can never be specified situation like for example Windows is querying any name with LLMNR only, and then after 5 minutes is querying another name with NBNS only etc, but this is how Conveigh actually works.

NBNS is utilizing broadcast on port 137/udp, LLMNR is utilizing multicast IP address 224.0.0.252 on port 5355/udp. delight note that there is besides a 3rd protocol – mDNS, which is utilizing multicast IP address 224.0.0.251 port 5353/udp, but we will not focus on it as this blog post is about a circumstantial honeypot related to LLMNR and NBNS.

Additional problem arises due to Conveigh’ creation of random looking hostnames in LLMNR/NBNS queries, which are actually random strings between 5 and 10 characters [https://github.com/Kevin-Robertson/Conveigh/blob/master/Conveigh.ps1#L264]. It can work, but only as a script kiddie detector. Well prepared attackers can't be fooled utilizing this simple technique, specified detection method can work on people who just blindly run poisoning attacks without any first recon.

During a red teaming engagement it is simply a good thought to run Responder [https://github.com/lgandx/Responder] initially for any time with the -A option (“Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests without responding [poisoning]”). Then just ignore specified honeypot IP address during the actual poisoning attack. At least that way we can fool specified primitive and reckless tools.

Summary

At least in most cases it will work as described and it makes full detection of specified honeypots rather easy. This is the reason why I always say that red team should have threat hunting skills and vice-versa, due to the fact that wide experience is very useful in both areas and gives you a better perspective. Red teamers will know that there is simply a anticipation of honeypot presence and how it works, threat hunters will know that specified honeypot is useful but only to catch low skilled script kiddies who just run hacking tools without any understanding. Don't look far just check article in which I wrote about detecting Deloitte Greece ethical hacking squad method called "LAME" (LAteral Movement Encryption) [https://blog.redteam.pl/2019/04/dns-based-threat-hunting-and-doh.html] (second part of the article). intent of this “LAME” method is to not being detected or at least making detection harder, but if you will usage this, you will be most likely detected, nevertheless if you will not usage this, you most likely will fly under radar... This is simply a good example why fancy and “advanced hacker methods” are not always as cool as described by their authors, and why you request know how detection systems work if you would like to be red teamer.

Please note that I don’t blame MITRE ATT&CK for bad approach as this is simply a free and in mostly a good project, but it’s not always advanced quality content as it is created by the community, due to that should not be treated like an oracle by threat hunters. Defensive safety is not about blind rewriting that cognition as detection and prevention methods. This is not how it works in cybersecurity, you request to think like an attacker to be a good defender and for that you request akin cognition as attacker has, to know tools and TTPs as described on top of The Pyramid of Pain [https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html] – threat hunting is besides about researching fresh detection methods.

BTW. If you are BOFH, you can always name your domain controller (DC) as honeypot and your actual honeypot as DC01 etc. This is funny, but what is even more comic is that it actually works on most of script kiddies…