The rapid pace of technological advancements constantly create new attack vectors and attack surfaces. Consequently, it is critical to constantly stay up-to-date on new changes, in addition to revisiting older technologies and previously identified attack surfaces to ensure that proper security protocols were put in place. 

As part of Pentera Labs’ mission, we aim to uncover these specific weak points, which may go unnoticed by standard security tools, so Red Teamers and Pen Testers can use them effectively and defenders can be aware of them.

In this article, we show how three network protocols, MS-LLTD, MDNS and ICMPv6, can be used for attacks. We chose these protocols because they are commonly used in platforms and internal networks, however, due to their minimal network traffic volume, they might be easily disregarded.

This blog post is an overview of the comprehensive research paper we wrote on these protocols. In the paper, we detail all the steps we took by using the protocols and how we were able to conduct network discovery and an MITM attack. The paper also includes additional insights and in-depth explanations. You can read the entire paper here.

Protocol 1: MS-LLTD

LLTD (Link-Layer Topology Discovery), is the standard protocol for sending link-layer event notifications. Its purpose is to enable devices to discover the link-layer topology of the network. MS-LLTD is Microsoft’s implementation of the LLTD protocol.

During a “Quick Discovery” process, a broadcast message is sent by a device to the ethernet broadcast address. Any “LLTD capable” device will respond with a “Hello” message. This message also contains a list of information about the station itself (ipv4, ipv6, host id, etc.) in a predefined structure called TLV.

The Risk: This information can be used for network discovery.

What is Network Discovery?

Network discovery is the process that allows devices to locate and connect with each other on a network. In this phase, the physical device, usually defined by an ethernet address in 802.x networks, is mapped to any other type of logical information (usually IPv4 and IPv6 addresses).

Network discovery will be the first action taken by a device to communicate with other devices in the network. It will also be one of the attacker’s first actions in an attack, since it allows them to map the environment.

Protocol 2: MDNS

mDNS (Multicast Domain Name Service) enables hosts to perform DNS-like operations on a local network with no need for a serialized unicast DNS server. It is a zero-configuration service that is based on the existing DNS protocol. As in the DNS protocol, a host may use mDNS to query IP addresses (A, AAAA records), service pointers (SRV records), and others. Devices that implement the mDNS service answer queries and even provide additional data, like their IPv6 address.

The Risk: This information can also be used for network discovery.

Protocol 3: The ICMPv6 Protocol

ICMPv6 is the implementation of ICMP on the IPv6 protocol. It is similar to ICMP and contains most message types: Echo, Redirect, Destination Unreachable. ICMPv6 introduces new features that try to solve different problems in IPv4. One of them is the ICMPv6 extension called NDP (Neighbor Discovery Protocol).

However, these abilities also enable attackers to hijack the victim’s network traffic. This can be done by spoofing router advertisement messages and influencing network configuration of nodes connected to the link. The victim will then append the new IPv6 DNS to the DNS list and will auto-configure a new global IPv6 address.

The Risk: A Man-in-the-Middle technique was first published in 2011 by the InfoSec Institute, who called it the “SLAAC Attack.”  

To read our observations about these protocols, the attack and exploitation steps, as well as future research areas, read the complete research article here.