Poisoning LLMNR with responder to obtain NTLMv2 victim — Insider Insights
What is LLMNR?
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are integral components within the Microsoft Windows ecosystem, offering alternative means of host identification. LLMNR, structured on the Domain Name System (DNS) framework, facilitates name resolution among hosts sharing the same local network link. NBT-NS operates by identifying systems within a local network through their NetBIOS names.
LLMNR Poisoning /w Responder
Responder
Responder is a tool initialy developed by spiderlabs. its mainly focused on attacking NTLM authentication. Responder attempts to lure a victim to authenticate.
Theory
- To bait victims, reponder abuses multiple cast protocols for name resolutions :
- NBT-NS
- LLMNR which is the successor to NBT-NS - Responder responds the insider(attacker) address
- All of these protocols effectively broadcast to resolve hostnames
Demo
in this demo I used 1 windows machine (victim) and 1 kali machine (insider threat).
- Insider POV — Start Responder by running the command:
responder -I eth0
2. Victim POV — have tried to access an SMB share (“foldersharedcorp”) that is unavailable in the network.
3. Insider POV — After a while, we can observe the NTLMv2 hash of the user riodrwn-victim has been captured through LLMNR poisoning.
4. after that, insider can crack this NTLMv2 with JTH (John The Ripper).
john the ripper can automatically detect whether NTLMv2 Hash data or not, so attack only need to enter the password list and hash.txt.
5. Other options, If attacker don’t have a password wordlist, attacker can use hashcat to crack the hash.
hashcat -m 5600 hash.txt
That’s all, I hope it’s useful for you. thanks for reading!