llmnr-nbt-ns-poisoning-from-linux

Tool Overview

Responder

• A Python-based tool designed to poison LLMNR, NBT-NS, and MDNS protocols.

• Commonly used on Linux attack hosts, with a .exe version for Windows.

• Supports capturing and relaying authentication requests.

Inveigh

• A cross-platform MITM tool for spoofing and poisoning attacks.

• Written in C# and PowerShell (PowerShell version is considered legacy).

• Effective for attacking multiple protocols including LLMNR and NBNS.

Metasploit

• Provides various scanners and spoofing modules for poisoning and relay attacks.

Both Responder and Inveigh can target the following protocols:

• LLMNR, DNS, MDNS, NBNS, DHCP, ICMP, HTTP, HTTPS, SMB, LDAP, WebDAV, Proxy Auth.

Responder additionally supports:

• MSSQL, DCE-RPC, FTP, POP3, IMAP, and SMTP authentication.

Pre-Attack Network Scanning

Identify hosts responding to NetBIOS name service

nmap -Pn --script broadcast-netbios-master-browser

Scan for LLMNR-enabled hosts on the network

nmap -p 5355 --script llmnr-resolve <target-ip>

Responder Usage Examples

Display help information for Responder

responder -h

Run Responder on interface eth0 with SMB and HTTP capture enabled

responder -I eth0 -w -r -f

Run Responder in analysis mode

responder -A

Run Responder on a specific interface (eth0)

responder -I eth0

Run Responder on interface ens224

responder -I ens224

View captured hashes in Responder logs

cat /usr/share/responder/logs/Responder-Session.log

Hashcat Usage Examples

Crack NTLMv2 hashes using Hashcat with RockYou wordlist

hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt

Run Hashcat in the background for long processes

nohup hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt &

Post-Exploitation Considerations

Use cracked credentials for lateral movement or privilege escalation (example with SMB)

smbclient -U <username> //<target-ip>/share

Defensive Measures

Disable LLMNR and NBT-NS to prevent poisoning attacks

• For Windows, use Group Policy Editor to disable these services.

• Ensure SMB signing is enforced to prevent relay attacks.

1. LLMNR and NBT-NS Fundamentals:

• Purpose: These are fallback name resolution protocols used by Windows when DNS fails.

• Vulnerability: They broadcast name resolution requests on the local network, allowing any host to respond.

• Protocols and Ports: LLMNR uses UDP port 5355, while NBT-NS uses UDP port 137.

2. Man-in-the-Middle (MitM) Attack:

• Poisoning: Attackers use tools like Responder to respond to LLMNR/NBT-NS requests, pretending to be the requested host.

• Credential Capture: This tricks victim machines into sending authentication requests (NTLM hashes) to the attacker's machine.

• Hash Cracking: Captured NTLM hashes can be cracked offline using tools like Hashcat or John the Ripper.

3. Responder Tool:

• Functionality: A Python-based tool designed to poison LLMNR, NBT-NS, and MDNS requests.

• Analysis Mode: Responder can be used in analysis mode to passively monitor network traffic.

• WPAD Proxy: Responder can start a rogue WPAD proxy server to capture HTTP requests.

• Log Files: Captured hashes are stored in log files and a SQLite database.

• Port Requirements: Responder requires access to specific network ports to function correctly.

4. Attack Flow:

• A victim machine attempts to resolve a hostname that doesn't exist in DNS.

• The machine broadcasts an LLMNR/NBT-NS request.

• Responder intercepts the request and sends a spoofed response.

• The victim machine sends its credentials (NTLM hash) to Responder.

• The attacker cracks the hash to obtain the cleartext password.

5. NTLM Hashes:

• NTLMv1 and NTLMv2: These are authentication protocols that use LM or NT hashes.

• Offline Cracking: NTLM hashes can be cracked offline using tools like Hashcat.

• SMB Relay: Captured hashes can sometimes be used in SMB relay attacks.

6. Tools and Techniques:

• Responder: Primary tool for LLMNR/NBT-NS poisoning.

• Hashcat: Tool for cracking captured NTLM hashes.

• Wordlists: Used in conjunction with Hashcat to crack passwords.

• Inveigh and Metasploit: Alternative tools for performing poisoning attacks.

7. Security Implications:

• Vulnerable Protocols: LLMNR and NBT-NS are inherently vulnerable to MitM attacks.

• Credential Theft: Successful poisoning attacks can lead to the theft of user credentials.

• Lateral Movement: Compromised credentials can be used to gain access to other systems on the network.

• Mitigation: Practices like SMB signing and disabling unneeded services can help mitigate this attack.