LLMNR Poisoning
What is LLMNR?
it is Link Local Multicast Name Resolution - it's basically DNS.
It's used when DNS fails to identify hosts and send User hashes.
previously NBT-NS
---
What tools do we use?
responder.py -I tun0 -rdw
Run this in the morning or when the traffics are busy to catch user activities.
capture user hashes when a user type the wrong IP's itc
Capture hashes > hashcat it.
User type in login info, then sends attacker hashes.
To mitigate LLMNR posoning, you have to disable LLMNR and NBT-NS
To disable LLMNR --> Turn off multicast NAME resolution under local computer policy > computer configuration > administrative templates > network > DNS client in the group policy editor.
To disable NBT-NS, navigate to Network connections < network adapter properties > TCP/IPv4 properties > advanced tab > WINS tab and selevt disable netBIOS over TCP/IP/
What if a company cannot disable LLMNR/NBT-NS?
Enable network access control:
require strong user passwords (longer than 14 characters)
SMB relay
instead of cracking hashes that we capture with responder, we can relay the hashes to specific machines and potentially gain access
Requirements - SMB signing must me disabled on the target
- Relayed user credentials must be admin on machine
Steps:
1. go to file explorer > network and enable network sharing
2. follow the steps below:
Discover if a host's SMB signing is disabled
NESSUS
Nmap (use specififc script ) --
nmap --script=smb2-security-mode.nse -p445 192.168.1.0/24
Github script that does
SMB signning enabled but not required!
Create a txt file that contains a victim's machine's IP.
Edit a responder config file - gedit /etc/responder/Responder.conf
turn off SMB and HTTP.
Run the responder: responder -I eth0 -rdwv
set a relay machine
└─# ntlmrelayx.py -tf target.txt -smb2support
you have to use two user machines with adminin priviledge for this attack to work! (use one to relay in)
enter the ip address in the file explorer on the other user machine on the target.
now you got hashes!
Last updated