3. LLMNR-NBT-NS Poisoning - from Linux

Tool Overview

Responder

A Python-based tool designed to poison LLMNR, NBT-NS, and MDNS protocols.
Commonly used on Linux attack hosts, with a .exe version for Windows.
Supports capturing and relaying authentication requests.

Inveigh

A cross-platform MITM tool for spoofing and poisoning attacks.
Written in C# and PowerShell (PowerShell version is considered legacy).
Effective for attacking multiple protocols including LLMNR and NBNS.

Metasploit

Provides various scanners and spoofing modules for poisoning and relay attacks.

Both Responder and Inveigh can target the following protocols:

LLMNR, DNS, MDNS, NBNS, DHCP, ICMP, HTTP, HTTPS, SMB, LDAP, WebDAV, Proxy Auth.

Responder additionally supports:

MSSQL, DCE-RPC, FTP, POP3, IMAP, and SMTP authentication.

Pre-Attack Network Scanning

Identify hosts responding to NetBIOS name service

nmap -Pn --script broadcast-netbios-master-browser

Scan for LLMNR-enabled hosts on the network

nmap -p 5355 --script llmnr-resolve <target-ip>

Responder Usage Examples

Display help information for Responder

responder -h

Run Responder on interface eth0 with SMB and HTTP capture enabled

responder -I eth0 -w -r -f

Run Responder in analysis mode

responder -A

Run Responder on a specific interface (eth0)

responder -I eth0

Run Responder on interface ens224

responder -I ens224

View captured hashes in Responder logs

cat /usr/share/responder/logs/Responder-Session.log

Hashcat Usage Examples

Crack NTLMv2 hashes using Hashcat with RockYou wordlist

hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt

Run Hashcat in the background for long processes

nohup hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt &

Post-Exploitation Considerations

Use cracked credentials for lateral movement or privilege escalation (example with SMB)

smbclient -U <username> //<target-ip>/share

Defensive Measures

Disable LLMNR and NBT-NS to prevent poisoning attacks

For Windows, use Group Policy Editor to disable these services.
Ensure SMB signing is enforced to prevent relay attacks.

1. LLMNR and NBT-NS Fundamentals:

Purpose: These are fallback name resolution protocols used by Windows when DNS fails.
Vulnerability: They broadcast name resolution requests on the local network, allowing any host to respond.
Protocols and Ports: LLMNR uses UDP port 5355, while NBT-NS uses UDP port 137.

2. Man-in-the-Middle (MitM) Attack:

Poisoning: Attackers use tools like Responder to respond to LLMNR/NBT-NS requests, pretending to be the requested host.
Credential Capture: This tricks victim machines into sending authentication requests (NTLM hashes) to the attacker's machine.
Hash Cracking: Captured NTLM hashes can be cracked offline using tools like Hashcat or John the Ripper.

3. Responder Tool:

Functionality: A Python-based tool designed to poison LLMNR, NBT-NS, and MDNS requests.
Analysis Mode: Responder can be used in analysis mode to passively monitor network traffic.
WPAD Proxy: Responder can start a rogue WPAD proxy server to capture HTTP requests.
Log Files: Captured hashes are stored in log files and a SQLite database.
Port Requirements: Responder requires access to specific network ports to function correctly.

4. Attack Flow:

A victim machine attempts to resolve a hostname that doesn't exist in DNS.
The machine broadcasts an LLMNR/NBT-NS request.
Responder intercepts the request and sends a spoofed response.
The victim machine sends its credentials (NTLM hash) to Responder.
The attacker cracks the hash to obtain the cleartext password.

5. NTLM Hashes:

NTLMv1 and NTLMv2: These are authentication protocols that use LM or NT hashes.
Offline Cracking: NTLM hashes can be cracked offline using tools like Hashcat.
SMB Relay: Captured hashes can sometimes be used in SMB relay attacks.

6. Tools and Techniques:

Responder: Primary tool for LLMNR/NBT-NS poisoning.
Hashcat: Tool for cracking captured NTLM hashes.
Wordlists: Used in conjunction with Hashcat to crack passwords.
Inveigh and Metasploit: Alternative tools for performing poisoning attacks.

7. Security Implications:

Vulnerable Protocols: LLMNR and NBT-NS are inherently vulnerable to MitM attacks.
Credential Theft: Successful poisoning attacks can lead to the theft of user credentials.
Lateral Movement: Compromised credentials can be used to gain access to other systems on the network.
Mitigation: Practices like SMB signing and disabling unneeded services can help mitigate this attack.

Previous2.Sniffing out a Foothold Next4.LLMNR-NBT-NS Poisoning - from Windows

Last updated 12 days ago

3. LLMNR-NBT-NS Poisoning - from Linux

Tool Overview

Responder

A Python-based tool designed to poison LLMNR, NBT-NS, and MDNS protocols.
Commonly used on Linux attack hosts, with a .exe version for Windows.
Supports capturing and relaying authentication requests.

Inveigh

A cross-platform MITM tool for spoofing and poisoning attacks.
Written in C# and PowerShell (PowerShell version is considered legacy).
Effective for attacking multiple protocols including LLMNR and NBNS.

Metasploit

Provides various scanners and spoofing modules for poisoning and relay attacks.

Both Responder and Inveigh can target the following protocols:

LLMNR, DNS, MDNS, NBNS, DHCP, ICMP, HTTP, HTTPS, SMB, LDAP, WebDAV, Proxy Auth.

Responder additionally supports:

MSSQL, DCE-RPC, FTP, POP3, IMAP, and SMTP authentication.

Pre-Attack Network Scanning

Identify hosts responding to NetBIOS name service

nmap -Pn --script broadcast-netbios-master-browser

Scan for LLMNR-enabled hosts on the network

nmap -p 5355 --script llmnr-resolve <target-ip>

Responder Usage Examples

Display help information for Responder

responder -h

Run Responder on interface eth0 with SMB and HTTP capture enabled

responder -I eth0 -w -r -f

Run Responder in analysis mode

responder -A

Run Responder on a specific interface (eth0)

responder -I eth0

Run Responder on interface ens224

responder -I ens224

View captured hashes in Responder logs

cat /usr/share/responder/logs/Responder-Session.log

Hashcat Usage Examples

Crack NTLMv2 hashes using Hashcat with RockYou wordlist

hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt

Run Hashcat in the background for long processes

nohup hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt &

Post-Exploitation Considerations

Use cracked credentials for lateral movement or privilege escalation (example with SMB)

smbclient -U <username> //<target-ip>/share

Defensive Measures

Disable LLMNR and NBT-NS to prevent poisoning attacks

For Windows, use Group Policy Editor to disable these services.
Ensure SMB signing is enforced to prevent relay attacks.

1. LLMNR and NBT-NS Fundamentals:

Purpose: These are fallback name resolution protocols used by Windows when DNS fails.
Vulnerability: They broadcast name resolution requests on the local network, allowing any host to respond.
Protocols and Ports: LLMNR uses UDP port 5355, while NBT-NS uses UDP port 137.

2. Man-in-the-Middle (MitM) Attack:

Poisoning: Attackers use tools like Responder to respond to LLMNR/NBT-NS requests, pretending to be the requested host.
Credential Capture: This tricks victim machines into sending authentication requests (NTLM hashes) to the attacker's machine.
Hash Cracking: Captured NTLM hashes can be cracked offline using tools like Hashcat or John the Ripper.

3. Responder Tool:

Functionality: A Python-based tool designed to poison LLMNR, NBT-NS, and MDNS requests.
Analysis Mode: Responder can be used in analysis mode to passively monitor network traffic.
WPAD Proxy: Responder can start a rogue WPAD proxy server to capture HTTP requests.
Log Files: Captured hashes are stored in log files and a SQLite database.
Port Requirements: Responder requires access to specific network ports to function correctly.

4. Attack Flow:

A victim machine attempts to resolve a hostname that doesn't exist in DNS.
The machine broadcasts an LLMNR/NBT-NS request.
Responder intercepts the request and sends a spoofed response.
The victim machine sends its credentials (NTLM hash) to Responder.
The attacker cracks the hash to obtain the cleartext password.

5. NTLM Hashes:

NTLMv1 and NTLMv2: These are authentication protocols that use LM or NT hashes.
Offline Cracking: NTLM hashes can be cracked offline using tools like Hashcat.
SMB Relay: Captured hashes can sometimes be used in SMB relay attacks.

6. Tools and Techniques:

Responder: Primary tool for LLMNR/NBT-NS poisoning.
Hashcat: Tool for cracking captured NTLM hashes.
Wordlists: Used in conjunction with Hashcat to crack passwords.
Inveigh and Metasploit: Alternative tools for performing poisoning attacks.

7. Security Implications:

Vulnerable Protocols: LLMNR and NBT-NS are inherently vulnerable to MitM attacks.
Credential Theft: Successful poisoning attacks can lead to the theft of user credentials.
Lateral Movement: Compromised credentials can be used to gain access to other systems on the network.
Mitigation: Practices like SMB signing and disabling unneeded services can help mitigate this attack.

Previous2.Sniffing out a Foothold Next4.LLMNR-NBT-NS Poisoning - from Windows

Last updated 12 days ago