Why Non-Existent Shares Are Dangerous: A DNS Spoofing Attack Explained

By /

Listen to this Post

Featured Image
Non-existent shares can pose a significant security risk when combined with DNS spoofing. If a DNS entry for a server hosting a non-existent share is missing, a low-privileged user can create a malicious DNS entry pointing to an attacker-controlled host. This allows the attacker to intercept authentication attempts, such as NTLMv2 hashes, when users (e.g., ITAdmin) attempt to access the share via logon scripts.

You Should Know:

1. How the Attack Works

  • A user’s logon script tries to map a non-existent share (\\nonexistentserver\share).
  • Since no DNS record exists, an attacker registers a rogue DNS entry pointing to their machine.
  • The attacker runs a tool like Inveigh to capture authentication attempts.

2. Tools & Commands to Exploit/Defend

Attacker Side (Using Inveigh for NTLMv2 Capture)

 Start Inveigh to spoof DNS and capture hashes 
Invoke-Inveigh -ConsoleOutput Y -DNS Y -LLMNR Y -NBNS Y -FileOutput Y

Defender Side (Detect & Mitigate)

  • Check Suspicious DNS Records: 
    Get-DnsServerResourceRecord -ZoneName "yourdomain.com" -RRType "A" | Where-Object {$_.HostName -eq "nonexistentserver"}
  • Disable Unnecessary Logon Scripts: 
    Get-ADUser -Filter  -Properties ScriptPath | Where-Object {$_.ScriptPath -ne $null}
  • Enable SMB Signing (Mitigates Relay Attacks): 
    Set-SmbClientConfiguration -RequireSecuritySignature $true

3. Linux Equivalent (Responder for Hash Capture)

sudo responder -I eth0 -wrf

Check captured hashes in `/usr/share/responder/logs/`.

4. Prevent Low-Privilege DNS Modifications

  • Restrict DNS Updates: 
    Set-DnsServerPrimaryZone -Name "yourdomain.com" -SecureSecondaries "NoTransfer"
  • Audit DNS Changes: 
    Get-WinEvent -LogName "DNS Server" | Where-Object {$_.ID -eq "5136"}

What Undercode Say:

This attack exploits weak configurations in both DNS and logon scripts. Organizations should enforce strict DNS permissions, disable unnecessary script-based share mappings, and enable SMB signing. Monitoring for rogue DNS records and unusual NTLM authentication attempts can prevent such attacks.

Prediction:

As cloud adoption grows, misconfigured hybrid environments will increase similar attacks, making DNS and logon script hardening critical.

Expected Output:

  • Captured NTLMv2 hashes (ITAdmin::NTLMv2_SHA256...).
  • Rogue DNS entry logs (Event ID 5136).
  • Successful mitigation via SMB signing enforcement.

Reference:

References:

Reported By: Spenceralessi Why – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: