Webcast: How to attack when LLMNR, mDNS, and WPAD attacks fail – eavesarp (Tool Overview)

Click on the timecodes to jump to that part of the video (on YouTube)

2:26 Introduction, background history covering LaBrea Tar Pits and ARP Cache Poisoning and how they relate to this webcast and how “eavesarp” basically works.
14:15 Demo of “eavesarp” against a Stale Network Address Configuration (SNAC) attack.
28:45 Q&A

This webcast was recorded live originally on June 12th, 2019 with John Strand and Justin Angel.

Justin wrote an extensive blog post on this topic: Analyzing ARP to Discover & Exploit Stale Network Address Configurations

eavesarp – GitHub: https://github.com/arch4ngel/eavesarp

When you are on a pentest (or an internal assessment) there are a large number of different techniques that you can use from an unprivileged workstation to move laterally, get hashes and/or attack services. Attacks techniques taking advantage of protocols and misconfigurations like LLMNR, GPP, mDNS and WPAD are now commonplace in any attack toolbox.

But what if those don’t work? Is there anything else in this category of attacks that can help you to easily gain access to other systems? Justin Angel has just written a tool we would like to share with the community that will answer these questions — eavesarp.

In this webcast, we talk about an oldish defensive technique that attackers can use to further access on the inside of a network. We know, we are being very coy with telling you exactly what the issue is. But, it is really cool. Trust us. We released a new tool and building on some existing research to bring another tool to the LLMNR, WPAD and mDNS attack toolbox — eavesarp.

And yes, we will be offering some tips on defending against these attacks as well.