Full Report
TL; DR: I fixed-up net-creds and MITMf to solve the CHALLENGE NOT FOUND bug. A while back on an internal assessment, I was having a hard time getting a high-privileged user account. This was the third assessment SensePost has done for the client, and they have implemented several of our recommendations. In particular, Responder wasn’t providing me with any hashes even though I was connected to the same network segment as several users, including some administrators. The client has a strict policy of only using the latest operating systems, i.e. Windows 10, and had disabled NBNS and LLMNR.
Analysis Summary
# Tool/Technique: net-creds / MITMf
## Overview
This summary details the analysis and subsequent fixing of bugs in the tools **net-creds** and **MITMf** that prevented the proper capture and parsing of NTLMSSP challenges, leading to incomplete NETNTLMv2 hashes (showing "CHALLENGE NOT FOUND"). The primary goal of using these tools in the context described was credential harvesting, specifically NTLM authentication material, via Man-in-the-Middle (MITM) attacks on a modern Windows environment.
## Technical Details
- Type: Tool (net-creds for parsing, MITMf for execution/MITM)
- Platform: Primarily targets network traffic captured from Windows clients (Windows 10 observed).
- Capabilities:
- **MITMf:** Execution of ARP spoofing attacks, interception of network traffic, and application of proxy authentication mechanisms to force NTLM challenge/response exchange.
- **net-creds:** Parsing raw network traffic, specifically focused on extracting credentials from headers like `Proxy-Authenticate` during HTTP 407 responses.
- First Seen: Original tools existed prior to the reported issue/fix (2018).
## MITRE ATT&CK Mapping
The core activity described aligns primarily with Network Evasion and Credential Access via Network Sniffing.
- **TA0008 - Collection**
- **T1041 - Exfiltration Over C2 Channel** (Less direct, but related to network collection)
- **T1049 - System Network Connections Discovery** (Implied by network monitoring)
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (The goal is to bypass defenses like disabled LLMNR/NBNS)
- **TA0006 - Credential Access**
- **T1557 - Man-in-the-Middle**
- **T1557.001 - ARP Spoofing** (Explicitly mentioned as the initial access method)
## Functionality
### Core Capabilities
1. **ARP Spoofing:** Used by MITMf to position itself between clients and the network/gateway.
2. **Forcing Authentication:** Utilizing HTTP 407 Proxy Authentication Required responses (often combined with WPAD/Proxy configurations) to force clients (even Windows 10) to send NTLM challenge/responses over the proxy.
3. **NTLM Hash Extraction (Fixed net-creds):** Parsing captured raw data, specifically the `Proxy-Authenticate` HTTP header, to reliably extract the NTLMSSP challenge and the resulting response, forming a complete NETNTLMv2 hash.
### Advanced Features
The fix specifically targets the parsing of the `Proxy-Authenticate` header in HTTP 407 responses.
1. **HTTP Header Parsing Correction:** The original `headers_to_dict` function in net-creds failed to handle the first line of HTTP server responses (e.g., `HTTP/1.1 407 Proxy Authentication Required`), causing key/value mismatching in the dictionary, leading to the NTLMSSP challenge being lost or misassigned, resulting in "CHALLENGE NOT FOUND."
2. **Argument Order Correction:** A secondary bug involving incorrect argument passing in a function call during hash reconstruction was also resolved.
## Indicators of Compromise
The context focuses on the *output* of a successful attack rather than classic IoCs relating to the tool itself being dropped.
- File Hashes: [Not specified/Not relevant for this summary, as the researcher only fixed open-source tools]
- File Names: [Not specified]
- Registry Keys: [Not applicable]
- Network Indicators: The attack vector relied on intercepting traffic on the local network segment, likely targeting **NetBIOS Name Service (NBNS)** and **Link-Local Multicast Name Resolution (LLMNR)** protocols, though these were explicitly stated as disabled by the client. The success relied on tricking clients into using an *HTTP Proxy* for authentication instead.
- Behavioral Indicators:
- Presence of spoofed ARP responses on the network segment.
- Observation of HTTP 407 responses containing `Proxy-Authenticate` headers on the local network.
## Associated Threat Actors
The tools (MITMf and net-creds) are publicly available security testing tools. The specific context involves an *internal assessment* performed by SensePost researchers. No known malicious threat groups are explicitly linked to the *bug* itself, although the techniques utilized are common in penetration testing and adversarial operations.
## Detection Methods
Detection would focus on active MITM techniques and unexpected NTLM authentication flows.
- Signature-based detection: Signatures for known MITMf processes or payloads (if modified/weaponized).
- Behavioral detection: Monitoring for active ARP poisoning or spoofing attempts on the internal network. Monitoring for clients being redirected via unexpected proxy settings or responding to authentication challenges in unusual HTTP contexts (like proxy authentication headers).
- YARA rules: [Not available based on context]
## Mitigation Strategies
The context provides specific mitigations applied by the client.
- Prevention measures: Disabling **NBNS** and **LLMNR** actively reduced the attack surface relying purely on classic broadcast name resolution attacks.
- Hardening recommendations:
- Implementing proper network segregation to limit the scope of ARP poisoning.
- Utilizing modern OS configurations that might be more resistant to non-standard NTLM relaying or challenge interception (though the fix targets the failure specifically on Windows 10 environments).
- Hardening HTTP Proxy configurations to prevent forced NTLM authentication on non-essential services (like PAC file downloads).
## Related Tools/Techniques
- **Responder:** Mentioned as the tool that *failed* to capture hashes, indicating the attacker switched tactics after Responder proved ineffective due to client hardening (disabled LLMNR/NBNS).
- **WPAD (Web Proxy Auto-Discovery):** Used in conjunction with MITMf to facilitate the forced NTLM authentication via the proxy mechanism.
- **Impacket's ntlmrelayx.py:** Mentioned as incorporating similar approaches suggested in secondary research.