LLMNR/NBT-NS Poisoning - Linux

Depending on the network, this attack may provide low-privileged or administrative level password hashes that can be cracked offline or even cleartext credentials.

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification that can be used when DNS fails.

Example of LLMNR/NBT-NS Poisoning

  1. A host attempts to connect to the print server at \\print01.legalcorp.local, but accidentally types in \\printer01.legalcorp.local.
  2. The DNS server responds, stating that this host is unknown.
  3. The host then broadcasts out to the entire local network asking if anyone knows the location of \\printer01.legalcorp.local.
  4. The attacker (us with Responder running) responds to the host stating that it is the \\printer01.legalcorp.local that the host is looking for.
  5. The host believes this reply and sends an authentication request to the attacker with a username and NTLMv2 password hash.
  6. This hash can then be cracked offline or used in an SMB Relay attack if the right conditions exist.

Responder in Action

If we are successful and manage to capture a hash, Responder will print it out on screen and write it to a log file per host located in the /usr/share/responder/logs directory. Hashes are saved in the format (MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt, and one hash is printed to the console and stored in its associated log file unless -v mode is enabled.

Any of the rogue servers (i.e., SMB) can be disabled in the Responder.conf file.

neutron@kali[/kali]$ ls

Analyzer-Session.log                Responder-Session.log
Config-Responder.log                SMB-NTLMv2-SSP-172.16.5.200.txt
HTTP-NTLMv2-172.16.5.200.txt        SMB-NTLMv2-SSP-172.16.5.25.txt
Poisoners-Session.log               SMB-NTLMv2-SSP-172.16.5.50.txt
Proxy-Auth-NTLMv2-172.16.5.200.txt

Starting Responder with Default Settings

sudo responder -I ens224

Typically we should start Responder and let it run for a while in a tmux window while we perform other enumeration tasks to maximize the number of hashes that we can obtain. Once we are ready, we can pass these hashes to Hashcat using hash mode 5600 for NTLMv2 hashes that we typically obtain with Responder. We may at times obtain NTLMv1 hashes and other types of hashes.

NetNTLMv2 hashes are very useful once cracked, but cannot be used for techniques such as pash-the-hash, meaning we have to attempt to crack them offline.

neutron@kali[/kali]$ hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt 

hashcat (v6.1.1) starting...

<SNIP>

Lucky for us our target domain allows weak 8-character passwords. This hash type can be "slow" to crack even on a GPU cracking rig, so large and complex passwords may be more difficult or impossible to crack within a reasonable amount of time.