Poisoning LLMNR with responder to obtain NTLMv2 victim — Insider Insights

What is LLMNR?

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are integral components within the Microsoft Windows ecosystem, offering alternative means of host identification. LLMNR, structured on the Domain Name System (DNS) framework, facilitates name resolution among hosts sharing the same local network link. NBT-NS operates by identifying systems within a local network through their NetBIOS names.

LLMNR Poisoning /w Responder

Responder

Responder is a tool initialy developed by spiderlabs. its mainly focused on attacking NTLM authentication. Responder attempts to lure a victim to authenticate.

Normal Flow

Posioning Flow

Theory

1. To bait victims, reponder abuses multiple cast protocols for name resolutions :
   - NBT-NS
   - LLMNR which is the successor to NBT-NS
2. Responder responds the insider(attacker) address
3. All of these protocols effectively broadcast to resolve hostnames

Demo

in this demo I used 1 windows machine (victim) and 1 kali machine (insider threat).

1. Insider POV — Start Responder by running the command:

responder -I eth0

Responder

2. Victim POV — have tried to access an SMB share (“foldersharedcorp”) that is unavailable in the network.

victim trying access SMB Share

3. Insider POV — After a while, we can observe the NTLMv2 hash of the user riodrwn-victim has been captured through LLMNR poisoning.

Responder get NTLMv2 HASH

4. after that, insider can crack this NTLMv2 with JTH (John The Ripper).

john the ripper can automatically detect whether NTLMv2 Hash data or not, so attack only need to enter the password list and hash.txt.

cracking with john

5. Other options, If attacker don’t have a password wordlist, attacker can use hashcat to crack the hash.

hashcat -m 5600 hash.txt

That’s all, I hope it’s useful for you. thanks for reading!