3. LLMNR-NBT-NS Poisoning - from Linux

Tool Overview

Responder

  • A Python-based tool designed to poison LLMNR, NBT-NS, and MDNS protocols.

  • Commonly used on Linux attack hosts, with a .exe version for Windows.

  • Supports capturing and relaying authentication requests.

Inveigh

  • A cross-platform MITM tool for spoofing and poisoning attacks.

  • Written in C# and PowerShell (PowerShell version is considered legacy).

  • Effective for attacking multiple protocols including LLMNR and NBNS.

Metasploit

  • Provides various scanners and spoofing modules for poisoning and relay attacks.

Both Responder and Inveigh can target the following protocols:

  • LLMNR, DNS, MDNS, NBNS, DHCP, ICMP, HTTP, HTTPS, SMB, LDAP, WebDAV, Proxy Auth.

Responder additionally supports:

  • MSSQL, DCE-RPC, FTP, POP3, IMAP, and SMTP authentication.

Pre-Attack Network Scanning

Identify hosts responding to NetBIOS name service

nmap -Pn --script broadcast-netbios-master-browser

Scan for LLMNR-enabled hosts on the network

nmap -p 5355 --script llmnr-resolve <target-ip>

Responder Usage Examples

Display help information for Responder

responder -h

Run Responder on interface eth0 with SMB and HTTP capture enabled

responder -I eth0 -w -r -f

Run Responder in analysis mode

responder -A

Run Responder on a specific interface (eth0)

responder -I eth0

Run Responder on interface ens224

responder -I ens224

View captured hashes in Responder logs

cat /usr/share/responder/logs/Responder-Session.log

Hashcat Usage Examples

Crack NTLMv2 hashes using Hashcat with RockYou wordlist

hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt

Run Hashcat in the background for long processes

nohup hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt &

Post-Exploitation Considerations

Use cracked credentials for lateral movement or privilege escalation (example with SMB)

smbclient -U <username> //<target-ip>/share

Defensive Measures

Disable LLMNR and NBT-NS to prevent poisoning attacks

  • For Windows, use Group Policy Editor to disable these services.

  • Ensure SMB signing is enforced to prevent relay attacks.

1. LLMNR and NBT-NS Fundamentals:

  • Purpose: These are fallback name resolution protocols used by Windows when DNS fails.

  • Vulnerability: They broadcast name resolution requests on the local network, allowing any host to respond.

  • Protocols and Ports: LLMNR uses UDP port 5355, while NBT-NS uses UDP port 137.

2. Man-in-the-Middle (MitM) Attack:

  • Poisoning: Attackers use tools like Responder to respond to LLMNR/NBT-NS requests, pretending to be the requested host.

  • Credential Capture: This tricks victim machines into sending authentication requests (NTLM hashes) to the attacker's machine.

  • Hash Cracking: Captured NTLM hashes can be cracked offline using tools like Hashcat or John the Ripper.

3. Responder Tool:

  • Functionality: A Python-based tool designed to poison LLMNR, NBT-NS, and MDNS requests.

  • Analysis Mode: Responder can be used in analysis mode to passively monitor network traffic.

  • WPAD Proxy: Responder can start a rogue WPAD proxy server to capture HTTP requests.

  • Log Files: Captured hashes are stored in log files and a SQLite database.

  • Port Requirements: Responder requires access to specific network ports to function correctly.

4. Attack Flow:

  • A victim machine attempts to resolve a hostname that doesn't exist in DNS.

  • The machine broadcasts an LLMNR/NBT-NS request.

  • Responder intercepts the request and sends a spoofed response.

  • The victim machine sends its credentials (NTLM hash) to Responder.

  • The attacker cracks the hash to obtain the cleartext password.

5. NTLM Hashes:

  • NTLMv1 and NTLMv2: These are authentication protocols that use LM or NT hashes.

  • Offline Cracking: NTLM hashes can be cracked offline using tools like Hashcat.

  • SMB Relay: Captured hashes can sometimes be used in SMB relay attacks.

6. Tools and Techniques:

  • Responder: Primary tool for LLMNR/NBT-NS poisoning.

  • Hashcat: Tool for cracking captured NTLM hashes.

  • Wordlists: Used in conjunction with Hashcat to crack passwords.

  • Inveigh and Metasploit: Alternative tools for performing poisoning attacks.

7. Security Implications:

  • Vulnerable Protocols: LLMNR and NBT-NS are inherently vulnerable to MitM attacks.

  • Credential Theft: Successful poisoning attacks can lead to the theft of user credentials.

  • Lateral Movement: Compromised credentials can be used to gain access to other systems on the network.

  • Mitigation: Practices like SMB signing and disabling unneeded services can help mitigate this attack.

Previous2.Sniffing out a FootholdNext4.LLMNR-NBT-NS Poisoning - from Windows

Last updated