Broadcast Name Resolution Poisoning

Broadcast name resolution poisoning is an attack targeting user credentials as a means to further access corporate networks and data. To initiate the attack, a threat actor would buy a generic top-level domain (gTLD) and establish attacker-controlled entries for the web proxy auto-discover protocol (WPAD). The attacker spoofs domain name resolutions to which victim computers will then auto-connect, generally when the end user is trying to connect to the internet via an external DNS, such as at a hotel or coffee shop. The spoofed domain responds to authentication requests and can capture authentication credentials.

Hashed passwords, however, are not immune from theft. A pass-the-hash attack is a form of credential theft accomplished through “hash dumping.” “Hash dumping” allows an attacker to gain access to hashed passwords and then use them to navigate through a system. Some common tools for hash dumping include pwdump, Pshtoolkit, creddump, etc. Once an attacker accesses the hashed passwords, he doesn’t need to know actual, plaintext user passwords to perform a pass-the-hash attack.

Single sign-on, in particular, while convenient for users, makes a pass-the-hash attack more viable and allows an attacker to authenticate to private systems or information and migrate from host to host.

Protecting against pass-the-hash attack is the same as for other identity and access management strategies. They include:

  • Implement two-/multi-factor authentication
  • Restrict high privileged accounts (domain, local, and admins)
  • Restrict inbound traffic via firewall
  • Allow domain controllers to be accessed only by air-gapped trusted systems

Get the DeMISTIfying InfoSec newsletter every Tuesday!