Skip to content

Cyanide

Cyanide is H3's tool to facilitate and correlate man-in-the-middle (MITM) attacks and credential relays.

Cyanide utilizes opportunistic network protocol poisoning techniques and active coercion techniques to solicit a device to connect to NodeZero with authentication material. If MITM relay has been enabled for the pentest, Cyanide will attempt to relay authentication material to vulnerable target services and applications within the scope of the pentest.

Terminology

MITM Credential Relay attacks typically involve two hosts within the target network. H3 uses the terms "Source" and "Target" to differentiate these two hosts and their associated weaknesses and misconfigurations that enable a successful MITM attack.

  • Source - The host/user that initiates a connection and authentication session to NodeZero's relay server. Typically, the source authentication material will provide a username and possibly the path to a requested resource (e.g SMB share, SQL database, etc.)
    • Source Weakness - the poisoning or coercion weakness that enabled or caused the source host to connect to NodeZero's relay server.
  • Target - The host to which NodeZero will relay the authentication material for exploitation.
    • Target Weakness - the Weakness on the target host that enables cyanide to relay credentials successfully and gain unauthorized access.

Purpose

During a pentest, NodeZero has to be able to accurately correlate the source of discovered credentials and track where they are being utilized to access network resources. Additionally, NodeZero needs to accurately determine which weaknesses were utilized in an attack chain. Cyanide's primary purpose is to make these correlations for MITM attacks, and capture authentication material for use or hash-cracking. Cyanide answers the questions:

Authentication Event Details

Category Description
Who The user, machine, or service account that the captured authentication material represents.
What The attack method used to force the source host/user to connect to NodeZero:

- Poisoning: LLMNR, NBT-NS, MDNS
- Coercion: PetitPotam, ShadowCoerce, PrinterBug, etc.

Additionally, the resource requested by the source user (e.g., SMB share, SQL database, etc.).
Where The source host of the authentication material (i.e., where the connection originated).
Where the credentials were utilized (i.e., the target service/host of the relay attack).
When The timestamp of each event, including:
- When the host was poisoned
- When the hash was captured
- When a relay attack occurred
Why With the combined data, Cyanide can determine why the attack happened and why it was successful.

System Breakdown

Currently the Cyanide system consists of 4 distinct parts:

Attack Components

# Component Description
1 Cyanide Message Pump Correlates source and target information and provides collected data to NodeZero.
2 Responder Handles broadcast protocol poisoning.
3 Intimidator Executes coercion attacks.
4 Impacket's ntlmrelayx Manages inbound SMB and HTTP connections and relays authentication material to vulnerable targets.

1. Cyanide Message Pump

The main cyanide process, or message pump, processes incoming messages from the other 3 components of the Cyanide system and takes appropriate action correlating source and target information and populating a database that NodeZero can utilize to understand what MITM interactions are occurring and what new authentication material is available for the pentest.

2. Responder

Responder is an LLMNR, NBT-NS, and MDNS poisoner. It will answer specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: Archived Microsoft KB). By default, the tool will only answer File Server Service requests, which is for SMB.

If Responder poisons a source host via one of these broadcast protocols, it will reach back via whatever protocol the broadcast was for (e.g. SMB, RDP, MSSQL, etc.).

  • If the protocol is NOT SMB or HTTP, Responder will simply capture the credential and inform Cyanide of the results. Cyanide will then report this data back to NodeZero's ephemeral cloud architecture and attempt to re-use or crack the captured credential material.
  • If the protocol IS SMB or HTTP, ntlmrelayx SMB and HTTP servers will handle it appropriately - either relaying it to a vulnerable service or dumping the credential for cracking.

Poisoners

Name Description Protocol Port(s)
LLMNR Link-Local Multicast Name Resolution (LLMNR)
Enables local network computers to resolve hostnames using DNS-like requests. It uses unicast, so only the requesting device sees the reply.		 UDP 5355
NBT-NS Network Basic Input/Output System Name Service (NBT-NS)
Used for name resolution with NetBIOS names. It can use broadcast, unicast, or multicast.		 UDP 137, 138
mDNS Multicast Domain Naming System (mDNS)
Allows hostname resolution without a central DNS server. Replies are multicast, updating local caches.		 UDP 5353
SERVERS
MSSQL Microsoft SQL Server TCP, UDP 1433 (TCP)
1434 (UDP)
RDP Remote Desktop Protocol TCP 3389
Kerberos Authentication protocol used for secure network login TCP 88
FTP File Transfer Protocol TCP 21
POP Post Office Protocol (used for retrieving emails) TCP 110
SMTP Simple Mail Transfer Protocol (used for sending emails) TCP 25, 587
IMAP Internet Message Access Protocol (used for retrieving emails) TCP 143
HTTPS Secure HTTP communication TCP 443
LDAP Lightweight Directory Access Protocol TCP, UDP 389
DCERPC Distributed Computing Environment Remote Procedure Call TCP 135
WINRM Windows Remote Management TCP 5895

Expanded vs. Limited Poisoning

NodeZero's Attack Configuration options have 2 options that control the behavior of Responder:

  • Expanded LLMNR and NetBIOS poisoning
    • Responder will sniff all available traffic regardless of scope.
    • In "Expanded" mode, relay sources from outside the pentest's configured scope will NOT be targeted for any other attacks; they are only used to capture/relay credential material.
  • Limited LLMNR and NetBIOS poisoning
    • Responder is limited to the scope provided during the configuration of the pentest. If both options are selected, the Limited option will override the Expanded option.

Where does it work?

Since Responder works by capturing broadcast and multicast packets, capturing requests in different networks is not possible and therefore, Cyanide will only work within NodeZero's subnet.

3. Intimidator

Intimidator is H3's framework for integrating NTLM coercion techniques with Cyanide. Intimidator provides a quick plug-and-play capability to facilitate the inclusion of new coercion techniques and open source tools quickly into NodeZero. Cyanide communicates with Intimidator over a duplexed IPC -- allowing the two processes to coordinate coercion and relay attacks effectively.

4. Impacket's NTLMRelayx

Cyanide utilize's a modified version of Impacket's NTLMRelayx as the base for our relay server.

When a source host connects and provides authentication material to ntlmrelayx's SMB or HTTP server, it will save the NTLMv2 hash for cracking and relay the authentication session to high-value service vulnerable to NTLM relay within the scope of the pentest. Possible targets include: - SMB servers with SMB-signing disabled: If cyanide is able to successfully log into the server, it will attempt to dump local credentials. - ADCS Server with the ESC8 Misconfiguration - LDAP servers with LDAP Signing disabled.

Scoping Scenarios

The below Scenarios and Examples review cyanide's behavior when the "Limited LLMNR and NetBIOS poisoning option is configured for the pentest.

Scenario 1

No scope is specified OR if the scope of the NodeZero host subnet is specified Scope defaults to the full subnet of the NodeZero host to poison

Example 1

NodeZero host subnet: 192.168.0.0/24
Scope: Auto-Expand
Result: Cyanide will get a scope of 192.168.0.0/24 because no scope was specified and poisoning can only happen within the network of NodeZero. Relaying will occur against high-value targets that are discovered. Coercion attempts will be made against high-value targets within the pentest scope.

Example 2

NodeZero host subnet: 192.168.0.0/24
Scope: 172.16.100.0/24, 10.0.0.0/16, 192.168.0.0/24
Result: Cyanide will get a scope of 192.168.0.0/24 because the specified scope contains the subnet of the NodeZero host. Relaying and coercion will occur against high-value targets that are within the scope specified.

Scenario 2

The scope of the NodeZero host is within the whitelist, Cyanide will get that as its scope

Example

NodeZero host subnet: 192.168.0.0/24
Scope: 172.16.100.0/24, 10.0.0.0/16, **192.168.0.0/30**
Result: Cyanide will only poison hosts within the 192.168.0.0/30 subnet because it falls within the NodeZero hosts subnet. Relaying and coercion will occur against high-value targets that are within the scope specified.