LLMNR Poisoning: An AD Attack

Aditya Jha
3 min readJul 11, 2023

What is LLMNR?

  • LLMNR Stands for Link Local Multicast Name Resolution.
  • Used to identify host when DNS fails to do so.
  • Previously known as NBT-NS.
  • Key flaw is that the services utilize a user’s username and NTLMv2 hash when appropriately responded to.

STEPS:

Step 1: Run Responder

python Responder.py -I tun0 -rdw

We run responder at first may be in the morning or after the lunch because it needs a lot of traffic. We run this before any nmap scan or nessus scan.

Step 2: An event occurs…

Step 3: Get Dem Hashes

Step 4: Crack Dem Hash

Command: hashcat -m 5600 hashes.txt rockyou.txt

Capturing NTLMv2 Hashes with Responder

Firstly we will start the responder.

Command: Responder -I eth0 -rdwv

I- Interface

v- verbosity(used to print the hash more than once.)

rdw- common settings

Now when the client will ask for an address then it will catch the hash. It will look something like this:

This is the great attack vector and most of the clients uses LLMNR so if the client never performed any pentest then it could be a great start.

Now after that, we will get the hash and we can finally crack the hash using Hashcat.

Password Cracking with Hashcat:

Hashcat is a tool which is used to crack the hashes.

Now, we will copy the hash and save it in a file and we can name it anything like ntlmhash.txt.

We can use Hashcat both on Linux and windows machine.

Command for Linux: hashcat -m 5600 ntlmhash.txt rockyou.txt

Here,
m- It stands for the module and 5600 module is used to crack the hash of NTLMv2.

ntlmhash.txt- It will contain the hash that we have captured in LLMNR Poising.

rockyou.txt- This txt file will contain a large number of possible passwords that can be used to crack hashes and brute force passwords.

Command in windows: hashcat.exe -m 5600 ntlmhash.txt rockyou.txt

As we can see in the above screenshot we got the password.

LLMNR Poisoning Defence:

Mitigation

The best defence in this case is to disable LLMNR and NBT-NS.

  • To disable LLMNR select “Turn OFF Multicast Name Resolution” under Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client in the Group Policy Editor.
  • To disable NBT-NS, navigate to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced tab > WINS tab and select “Disable NetBIOS over TCP/IP”.

If a company must use or cannot disable LLMNR/NBT-NS, the best course of action is to:

  • Require Network Access Control.
  • Require strong user passwords (e.g., Greater than 14 characters in length and limit common word usage). The more complex and long the password, the harder it is for an attacker to crack the hash.

--

--