Llmnr & nbt-ns poisoning attack
posted on 15 Jul 2022 under category Active-Directory in series Active_Directory
LLMNR stand for Link-Local Multicast Name Resolution and NetBIOS Name Service (NBT-NS) are two name services used by windows for resolving hostnames to IP addresses when a DNS request fails in a network.
In a network, if a machine tries to resolve a particular host and DNS fails to do so, the machine will communicate with other machines in the network using the LLMNR and ask if anyone knows the particular hosts.
In Active Directory environments, we often see that LLMNR is enabled and it is used widely. But using the LLMNR host resolution has a severe security impact, as when a non-existing host is searched using the LLMNR method. it broadcasts the request to every system that is connected to the local network. and if we have any compromised machine on the local network by default it will also receive the host query request and the compromised machine can also send the response to the victim machine. and in turn, ask for the password hash of the victim.
responder -I eth1 -dvw
You can see below that while listening for events, Responder has picked up an LLMNR query and has proceeded to poison these requests.
These LLMNR queries were not for any service that could be useful to an attacker, however, if we now go to one of the lab machines and accidentally mistype a file share name (making use of the SMB protocol), the victim computer will attempt to authenticate to this spoofed share. Please see below where we have tried to look up ‘\sshare’ which does not exist.
If we now check back with Responder, we can see that the authentication negotiation has taken place and we have now captured Jo Blogg’s username and NetNTLMv2 (NTLMv2) hash.
NTLMv2 hashes cannot be used in a Pass-the-Hash attack (which uses standard NTLM hashes), however, the hashes can be cracked to derive the cleartext password, which can be done using a cracking tool such as hashcat or John the Ripper. If you can obtain the cleartext credentials and the domain is configured to allow remote login via protocols such as SMB (i.e. FilterAdministratorToken is not set to 0 in the registry), you may be able to login to other hosts on the network. Please note that remote login is only possible where the victim user is a local administrator on the target machine.
hashcat -m 5600 hashes.txt rockyou.txt
- 5600 is modal called ‘netntlmv1’ network protocol
- used help hashcat –help
- rockyou is wordlist can download it seclist github
The simplest way to defend against LLMNR/NBT-NS poisoning is to disable both LLMNR and NBT-NS completely. For networks that use an ordinary DNS server for name resolution, disabling LLMNR and NBT-NS should have no adverse effects, and by disabling these services you will have closed a prominent security hole.