Home LLMNR & NBT-NS Poisoning
Post
Cancel

LLMNR & NBT-NS Poisoning

Posted Mar 8, 2018
By Aftab Shaikh
1 min read

LLMNR & NBT-NS Poisoning

What is LMNR & NBT-NS

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are two name services used by windows for resolving hostnames to IP addresses when a DNS request fails in a network.

⇒ if the machine fails to resolve the DNS request . then the machine will communicate with other machines in the network using LLMNR

⇒ Utilizes NTLM/NTLMv2 hash, which can be exploited and can be cracked offline

Explaining The Attack

  • In this victim tries to connect to the shared name \\hackme but instead he typed \\hackm and hackm doesnt exists in the DNS record

Image title

  • So the victim sends the broadcast message to everyone in the network that anyone know how to connect to \\hackm

Image title

  • So us the attacker will act as the man-in-the-middle and says that i sure do know how to connect to that , you just send me over your hash or credentials and i will connect to it for you

Image title

  • so will just capture the ntlm hash using the tool Responder

Image title

Performing The Attack

  • Setting up responder

We will need to setup responder answer to unanswered LLMNR request using the following syntax

1

python3 Responder.py -w --lm -v -I <interface>

Image title

  • A user makes a mistake…..

  • The user wants to connect to share Client06 but instead he types Client07

Image title

  • And we capture the hash

Image title

Cracking NTLMv2 Hash

  • You can use the hashcat
1

hashcat -m 5600 ntlmv2 /usr/share/wordlists/rockyou.txt  --force

Defenses

⇒ The best defense in this case is to disable LLMNR and NBT-NS

  • Disable LLMNR, select Turn OFF Multicast Name Resolution under Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client in GPO Editor

  • Disable NBT-NS, navigate to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced Tab > WINS tab and select "Disable NetBIOS over TCP/IP"

⇒ If a company must use or cannot disable LLMNR /NBT-NS, the best course of action is to

  • Require Network Access Control. if an attacker cannot get onto the network, the attack cannot be performed.

  • Best is to require strong user passwords (e.g, >12 characters in length with complex word special characters).

Active Directory Attacks, LLMNR & NBT-NS Poisoning
ad attacks ldap LLMNR & NBT-NS Poisoning mimikatz
This post is licensed under CC BY 4.0 by the author.
Contents