LLMNR/NBT-NS Poisoning - Linux
Depending on the network, this attack may provide low-privileged or administrative level password hashes that can be cracked offline or even cleartext credentials.
Example of LLMNR/NBT-NS Poisoning
- A host attempts to connect to the print server at \\print01.legalcorp.local, but accidentally types in \\printer01.legalcorp.local.
- The DNS server responds, stating that this host is unknown.
- The host then broadcasts out to the entire local network asking if anyone knows the location of \\printer01.legalcorp.local.
- The attacker (us with
Responderrunning) responds to the host stating that it is the \\printer01.legalcorp.local that the host is looking for.
- The host believes this reply and sends an authentication request to the attacker with a username and NTLMv2 password hash.
- This hash can then be cracked offline or used in an SMB Relay attack if the right conditions exist.
Responder in Action
If we are successful and manage to capture a hash, Responder will print it out on screen and write it to a log file per host located in the
/usr/share/responder/logs directory. Hashes are saved in the format
(MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt, and one hash is printed to the console and stored in its associated log file unless
-v mode is enabled.
Any of the rogue servers (i.e., SMB) can be disabled in the
neutron@kali[/kali]$ ls Analyzer-Session.log Responder-Session.log Config-Responder.log SMB-NTLMv2-SSP-172.16.5.200.txt HTTP-NTLMv2-172.16.5.200.txt SMB-NTLMv2-SSP-172.16.5.25.txt Poisoners-Session.log SMB-NTLMv2-SSP-172.16.5.50.txt Proxy-Auth-NTLMv2-172.16.5.200.txt
Starting Responder with Default Settings
sudo responder -I ens224
Typically we should start Responder and let it run for a while in a tmux window while we perform other enumeration tasks to maximize the number of hashes that we can obtain. Once we are ready, we can pass these hashes to Hashcat using hash mode
5600 for NTLMv2 hashes that we typically obtain with Responder. We may at times obtain NTLMv1 hashes and other types of hashes.
NetNTLMv2 hashes are very useful once cracked, but cannot be used for techniques such as pash-the-hash, meaning we have to attempt to crack them offline.
neutron@kali[/kali]$ hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt hashcat (v6.1.1) starting... <SNIP>
Lucky for us our target domain allows weak 8-character passwords. This hash type can be "slow" to crack even on a GPU cracking rig, so large and complex passwords may be more difficult or impossible to crack within a reasonable amount of time.