☣️LLMNR/NBT-NS Poisoning from Linux

Page 6 - LLMNR/NBT-NS Poisoning from Linux

Overview

This section covers Man-in-the-Middle (MITM) attacks on Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) broadcasts to capture domain credentials and establish a foothold.

Attack Goal

  • Capture NetNTLMv2 hashes from network traffic

  • Crack hashes offline to obtain cleartext passwords

  • Gain initial domain foothold with valid credentials

LLMNR & NBT-NS Protocol Primer

What are LLMNR & NBT-NS?

Microsoft Windows components that serve as alternate name resolution methods when DNS fails:

LLMNR (Link-Local Multicast Name Resolution)

  • Purpose: Host identification when DNS fails

  • Port: 5355/UDP

  • Behavior: Broadcasts to all hosts on local network

  • Based on: DNS format

NBT-NS (NetBIOS Name Service)

  • Purpose: System identification by NetBIOS name

  • Port: 137/UDP

  • Behavior: Used when LLMNR fails

  • Function: Local network name resolution

The Vulnerability

ANY host on the network can reply to LLMNR/NBT-NS requests!

Attack Methodology

Attack Flow Example

Technical Details

  • Spoofing: Pretend to be the requested host

  • Capture: NetNTLM authentication attempts

  • Result: Username + NTLMv2 password hash

  • Follow-up: Offline brute force or SMB relay

Tools for LLMNR/NBT-NS Poisoning

Tool
Description
Platform

Responder

Purpose-built LLMNR/NBT-NS poisoning tool

Linux/Windows

Inveigh

Cross-platform MITM platform

PowerShell/C#

Metasploit

Built-in scanners and spoofing modules

Multi-platform

Supported Protocols

All tools can attack:

  • LLMNR, DNS, MDNS, NBNS

  • DHCP, ICMP, HTTP, HTTPS

  • SMB, LDAP, WebDAV, Proxy Auth

Responder additionally supports:

  • MSSQL, DCE-RPC

  • FTP, POP3, IMAP, SMTP auth

Responder Tool Usage

Basic Commands

Key Responder Flags

Flag
Function
Notes

-I

Network interface

Required (or use IP with -i)

-A

Analyze mode

Passive listening only

-w

WPAD rogue proxy

Captures HTTP requests

-f

Fingerprint

OS version detection

-r

NetBIOS wredir

May break network functionality

-v

Verbose

Increased output

-F

Force WPAD auth

May cause login prompts

-P

Proxy auth

Force NTLM/Basic authentication

Required Network Ports

Responder needs these ports available:

Capturing Hashes with Responder

Starting a Capture Session

Hash Storage Locations

Log files stored in: /usr/share/responder/logs/

Naming convention: (MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt

Examples:

Log File Types

Hash Cracking with Hashcat

Identifying Hash Type

NetNTLMv2 hashes are most common from Responder:

  • Hashcat mode: 5600

  • Cannot be used for Pass-the-Hash (must crack)

  • Format: Long string with multiple colons

Basic Hashcat Cracking

Example Successful Crack

Advanced Techniques

WPAD Poisoning

Web Proxy Auto-Discovery captures HTTP traffic:

Multi-Protocol Capture

Responder captures multiple authentication types:

  • SMB: File share access attempts

  • HTTP: Web authentication

  • LDAP: Directory service queries

  • Proxy: Browser proxy authentication

Operational Considerations

Best practices:

  • Run continuously during assessment

  • Use tmux/screen for persistent sessions

  • Monitor multiple interfaces if available

  • Combine with other techniques (password spraying)

Lab Exercises & Solutions

Lab Environment

  • Target: 10.129.226.51 (ACADEMY-EA-ATTACK01)

  • Credentials: htb-student:HTB_@cademy_stdnt!

  • Network: Internal AD environment

Question 1: Capture Hash for User Starting with 'b'

Task: Run Responder and obtain hash for user account starting with letter 'b'

Solution:

Answer: backupagent

Question 2: Crack the Previous Hash

Task: Crack the hash for the backupagent account

Solution:

Answer: h1backup55

Question 3: Capture and Crack Hash for User 'wley'

Task: Obtain NTLMv2 hash for user wley and crack it

Solution:

Answer: transporter@4

Detection and Evasion

Blue Team Detection Methods

  • Network monitoring for unusual multicast traffic

  • DNS logging for failed resolution patterns

  • Authentication monitoring for rapid hash attempts

  • Network segmentation to limit broadcast domains

Red Team Evasion Techniques

  • Selective poisoning (target specific hosts)

  • Time-based attacks (poison during business hours)

  • Protocol selection (focus on less monitored protocols)

  • Legitimate-looking responses (match network naming schemes)

Common Issues & Troubleshooting

Responder Not Capturing Hashes

Check:

  1. Network interface is correct

  2. Ports are available (kill conflicting services)

  3. Network activity exists (users accessing resources)

  4. Permissions (run as root/sudo)

Hashcat Not Cracking

Considerations:

  1. Hash format is correct (mode 5600 for NetNTLMv2)

  2. Wordlist path is valid

  3. Hardware capabilities (GPU vs CPU)

  4. Password complexity (may need larger wordlists)

Network Impact

Potential issues:

  • Service disruption from poisoned responses

  • Network instability if using -r flag

  • Alerting security teams to testing activity

Key Takeaways

Attack Value

  • Low technical barrier to entry

  • High success rate in many environments

  • Provides domain foothold for further attacks

  • Passive collection while performing other tasks

Defensive Recommendations

  1. Disable LLMNR/NBT-NS where possible

  2. Implement network segmentation

  3. Monitor authentication patterns

  4. Use strong password policies

  5. Deploy SMB signing to prevent relay attacks

Operational Tips

  • Start early in assessment (passive collection)

  • Run continuously during testing

  • Combine with enumeration activities

  • Prioritize hash cracking based on enumeration results

Command Reference

Responder Operations

Hash Processing

Log Analysis

This poisoning technique provides an excellent foothold for domain penetration testing by exploiting fundamental Windows networking protocols.

PreviousInitial Domain EnumerationNextLLMNR/NBT-NS Poisoning from Windows

Last updated