Active Directory Series — LLMNR Poisoning

What is LLMNR?

Link Local Multicast Name Resolution (LLMNR) is a name resolution protocol used on Windows systems, and is enabled by default. This is used when DNS fails. Suppose I try to access a share and it doesn’t exist, LLMNR will be used after DNS fails to resolve it in the network.

The Vulnerability

Now the problem is LLMNR exposes the username and password hash while communicating with the devices in the network. It is possible to capture this hash and crack it if the password is weak. Lets get into exploiting it!

The Exploit

Run responder on attacker VM

First, we will setup our responder. I will use Kali Linux for the same. Here, I have my Kali VM in the same network as my Active Directory. We use the command:

responder -I <your network interface> -dwv

Note the flags enabled in the image.

Here we start listening for events in the network.

Accessing the attacker’s share

Let us assume someone in the network wants to access a share at 192.168.112.129. However, they type in the attacker’s ip 192.168.112.128. Responder will immediately capture the user’s name and hashes and print them out on the terminal.

Cracking the hash

Lets try cracking this hash. We copy the entire NTLMv2 Hash and paste it in a file say hashes.txt. Now, we need to identify the Hashcat mode for this hash. We can refer this wiki page for the same. Note how the hash corresponding to 5600 is similar to the hash we obtain.

For cracking the hash, we run the following command:

hashcat.exe -m 5600 hashes.txt ../Wordlists/rockyou.txt -O

Once the hash is cracked, it will be printed out for us. And there we have the password!

Hope you enjoyed this. Thanks for reading. Follow for more!