LLMNR/NBT-NS Poisoning and Relay

ID: T1171 Tactic: Credential Access

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name.

Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR(UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through Network Sniffing and crack the hashes offline through Brute Force to obtain the plaintext passwords. In some cases where the adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.

Several tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and Responder.

Responder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP Authentication.

Responder is an Active Directory/Windows environment takeover tool suite that can stealthy take over any default active directory environment (including Windows 2012) in minutes or hours. Most of the attacks on this tool are hard to detect and are highly successful.

In simple words how those this work, well if a client/target cannot resolve a name via DNS it will fall back to name resolution via LLMNR and NBT-NS. Now, assuming we have Responder running it will say 'yeah. this is me' to all of the LLMNR and NBT-NS requests that we see, and then traffic will be redirected to us.

By default responder is set to only answer to File Server Service requests (SMB) but of course we have multiple options HTTP/MSSQL/LDAP/FTP/RDP and a few others to mention.

Let's see some example I will work on the Default protocol that responder listen's to and that is SMB.

Once a foothold in the network, let's say a KaliBox (Raspberry Pi) we can run responder to start listening for Traffic.

This Demo will be simple a user tries to access a Drive via the Run... command then They will misspell a Share which responder will respond to it. But this won't work if the User spelled correctly or is accessing an Existing share this will only work if it is misspelled or trying to access an un-existing share.

The user tries to access a share. See how Delta is misspelled. DELTTA

Since it doesn't exist and windows can't resolve this request it will go to LLMNR and respond to this.

What can we do with this hash we there are a few options to work with this, we can do a Relay Attack or use Hashcat/John to crack the hash and grab a clear-text credential.

john john-hasht.txt --wordlist=/usr/share/wordlists/rockyou.txt

John the Ripper cracked the NTLMv2 hash with the password of Password1

There is a windows version of this tool named Invoke-Inveigh that can have the same attack method and all from a windows machine when a Linux box or Python is not available.

Last updated