LLMNR & NBT-NS Poisoning
Link-Local Multicast Name Resolution (LLMNR) and
NetBIOS Name Service (NBT-NS) are two name services used by windows for resolving hostnames to IP addresses when a DNS request fails in a network.
⇒ if the machine fails to resolve the DNS request . then the machine will communicate with other machines in the network using LLMNR
⇒ Utilizes NTLM/NTLMv2 hash, which can be exploited and can be cracked offline
- In this victim tries to connect to the shared name
\\hackmebut instead he typed
hackmdoesnt exists in the DNS record
- So the victim sends the broadcast message to everyone in the network that anyone know how to connect to
- So us the attacker will act as the
man-in-the-middleand says that i sure do know how to connect to that , you just send me over your hash or credentials and i will connect to it for you
- so will just capture the ntlm hash using the tool Responder
- Setting up responder
We will need to setup responder answer to unanswered LLMNR request using the following syntax
1 python3 Responder.py -w --lm -v -I <interface>
A user makes a mistake…..
The user wants to connect to share
Client06but instead he types Client07
- And we capture the hash
- You can use the hashcat
1 hashcat -m 5600 ntlmv2 /usr/share/wordlists/rockyou.txt --force
⇒ The best defense in this case is to disable LLMNR and NBT-NS
Disable LLMNR, select
Turn OFF Multicast Name Resolution under Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client in GPO Editor
Disable NBT-NS, navigate to
Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced Tab > WINS taband select
"Disable NetBIOS over TCP/IP"
⇒ If a company must use or cannot disable LLMNR /NBT-NS, the best course of action is to
Require Network Access Control. if an attacker cannot get onto the network, the attack cannot be performed.
Best is to require strong user passwords (e.g, >12 characters in length with complex word special characters).