Skip to content

Cyanide

What does Cyanide do?

Cyanide utilizes an opportunistic attack and combines Impacket’s ntlmrelayx.py with additional "poisoners" (e.g. Responder) to correlate:

  • Who
    • Cyanide will provide information about the user or service account that was captured
  • What
    • What method of poisoning was used (LLMNT/NBT-NS/MDNS)?
    • What resource was requested (e.g SMB share, SQL database, etc.)?
  • Where
    • Where was the credential used?
    • Where was the source?
  • When
    • The date/timestamp of each event will be available:
      • When the host was poisoned
      • When the hash was captured
      • When a relay attack happened
  • Why
    • With the combined data, you will be able to tell why this attack happened and why it was successful.

Meaning, Responder will poison a host over LLMNR, then the poisoned host will reach back via whatever protocol the broadcast was for (e.g. SMB, RDP, MSSQL, etc.).

  • If the protocol is NOT SMB or HTTP, Responder will simply capture the credential and inform Cyanide of the results. Cyanide will then report this data back to core and an attempt to crack the hash will be made.
  • If the protocol IS SMB or HTTP, ntlmrelayx SMB and HTTP servers will capture the response from the poisoned host, prompt it to supply credentials, capture the credentials, and then either save that information to be cracked offline or if relaying is enabled, use the username/hash captured and attempt to login to targets that appear to be high value and dump local credentials. This form of relaying credentials will only work if the target hosts DO NOT have SMB signing enabled.

At the end of a pentest, if Cyanide was successful in capturing a hash and (if relaying is enabled) relaying it, you will be able to see why this happened. Perhaps you have an old service account on a workstation, that is re-using credentials, but the intended network resource no longer exists on the network. This would trigger an LLMNR/NBT-NS event. You will be armed with all of the information needed to find the responsible source host captured from, the protocol it was requesting (e.g. SMB), the username used, and the target service to which the username and hash were relayed. Lastly, you can fix the host (applying the appropriate fix action described under the Weakness), and verify by running the same pentest again.

What does Responder do?

Responder is an LLMNR, NBT-NS, and MDNS poisoner. It will answer specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: Archived Microsoft KB). By default, the tool will only answer File Server Service requests, which is for SMB. This tool listens on several ports: UDP/137, UDP/138, TCP/389, TCP/1433, UDP/1434, TCP/88, TCP/135, TCP/139, TCP/21, TCP/25, TCP/110, TCP/587, TCP/143, TCP/5985, Multicast UDP/5355 and 5353.

  • Poisoners
    • LLMNR
      • LLMNR stands for Link-Local Multicast Name Resolution. LLMNR is based on the DNS format and enables computers on the same local network to conduct name resolution of other hosts. LLMNR is unicast, so only the device that sent the request will see the reply.
      • Server port UDP/5355
    • NBTNS
      • NBT-NS stands for Network Basic Input/Output System Name Service. NBT-NS is often referred to as its base application programming interface, NetBIOS, for short. The NBT-NS protocol is used similarly to LLMNR, except it utilizes hosts on the network by their NetBIOS name and will ask the receiving machine to disclose and return its current set of NetBIOS names. NBT-NS can utilize broadcast, unicast, or multicast.
      • UDP/137
      • UDP/138
    • MDNS
      • mDNS stands for Multicast Domain Naming System (mDNS). mDNS replies are sent over multicast so that everyone can see them and keep their local mDNS cache up to date.
      • UDP/5353
    • Servers
      • MSSQL
        • TCP/1433
        • UDP/1434
      • RDP
        • TCP/3389
      • Kerberos
        • TCP/88
      • FTP
        • TCP/21
      • POP
        • TCP/110
      • SMTP
        • TCP/25
        • TCP/587
      • IMAP
        • TCP/143
      • HTTPS
        • TCP/443
      • LDAP
        • TCP/389
        • UDP/389
      • DCERPC
        • TCP/135
      • WINRM
        • TCP/5895

NTLM Relaying

NTLM Authentication is a challenge-response-based protocol. Challenge-response protocols use a commonly shared secret. In this case, the user password, to authenticate the client. The server sends a challenge, and the client replies with the response to this challenge. If the challenge matches the one calculated by the server, the authentication is accepted.

After a host is poisoned and the hash is captured, if relaying is enabled, the username/hash combination will attempt to login to the target hosts over SMB. For this attack to be successful the target host must not have SMB signing enabled. Upon successful login, a follow-on attack will occur and attempt to harvest local usernames and hashes from that target.

Servers Utilized

  • HTTP
    • TCP/80
  • SMB
    • TCP/445
  • Attack
    • Secrets dump
      • secretsdump is an action performed against a target machine that will attempt to dump the Security Account Manager (SAM) on Windows hosts. If successful, a list of username/NTLM hashes will be harvested and can be used with tools such as Crackmapexec to pass the hash and access other hosts within the network.NOTE: SAM dumping can only occur if the user has administrative credentials. A non-privileged user may be able to login, but the default action Cyanide uses of dumping SAM cannot be achieved. However, this does not mean you don’t have to worry about it. Other actions can be utilized to gain access to the host and potential privilege escalate to an administrative user.

Where does it work?

Since Responder works by capturing broadcast packets, capturing requests in different networks is not possible and therefore, Cyanide will only work within the network it resides in.

Based on the location of NodeZero, that is the subnet that will be poisoned. Two ways Cyanide uses scope:

Scenario 1

No scope is specified OR if the scope of the NodeZero host subnet is specified Scope defaults to the full subnet of the NodeZero host to poison

Example 1

NodeZero host subnet: 192.168.0.0/24
Scope: Auto-Expand
Result: Cyanide will get a scope of 192.168.0.0/24 because no scope was specified and poisoning can only happen within the network of NodeZero. Relaying will occur against high-value targets that are discovered during host discovery and have SMB signing disabled.

Example 2

NodeZero host subnet: 192.168.0.0/24
Scope: 172.16.100.0/24, 10.0.0.0/16, 192.168.0.0/24
Result: Cyanide will get a scope of 192.168.0.0/24 because the specified scope contains the subnet of the NodeZero host. Relaying will occur against high-value targets that are within the scope specified and have SMB signing disabled.

Scenario 2

The scope of the NodeZero host is within the whitelist, Cyanide will get that as its scope

Example

NodeZero host subnet: 192.168.0.0/24
Scope: 172.16.100.0/24, 10.0.0.0/16, **192.168.0.0/30**
Result: Cyanide will only poison hosts within the 192.168.0.0/30 subnet because it falls within the NodeZero hosts subnet. Relaying will occur against high-value targets that are within the scope specified and have SMB signing disabled.