👃Sniffing out a Foothold
LLMNR/NBT-NS Poisoning - from Linux
After enumerating on the domain, finding some usernames, we will work through two different techniques side-by-side: network poisoning and password spraying in order to find some cleartext credentials to gain foothold
We are going to see 2 techniques, a Man-in-the-Middle attack on Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) broadcasts.
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification that can be used when DNS fails.
You can find more in my article about address resolution in active directory:
If a machine attempts to resolve a host but DNS resolution fails, typically, the machine will try to ask all other machines on the local network for the correct host address via LLMNR and If LLMNR fails, the NBT-NS will be used. NBT-NS identifies systems on a local network by their NetBIOS name.
We will user reponder.py to respond to the broadcast request
Timeline of a LLMNR/NBT-NS Poisoning
A host attempts to connect to the print server at \\print01.inlanefreight.local, but accidentally types in \\printer01.inlanefreight.local.
The DNS server responds, stating that this host is unknown.
The host then broadcasts out to the entire local network asking if anyone knows the location of \\printer01.inlanefreight.local.
The attacker (us with
Responder
running) responds to the host stating that it is the \\printer01.inlanefreight.local that the host is looking for.The host believes this reply and sends an authentication request to the attacker with a username and NTLMv2 password hash.
This hash can then be cracked offline or used in an SMB Relay attack if the right conditions exist.
Using Responder
We first start responder with default settings ->
Best practice is to let it run in background while we enumerate to maximize the number of hashes that we can obtain.
Once we got few hits, we can use hash cat with mode 5600 ->
This would be the syntax:
And if everything works just fine, we should be able to gain foothold into the domain to begin further enumeration.
Practical example
After pivoting in the target machine through ssh, I launch responder and wait for some hashes to pop ->
We get a hit, now we copy and paste the hash in a file and hop on hashcat ->
Looking back at the questions, we had to crack the hash of an account that starts with letter B so I relaunched responder and waited for a bit and did just what I did before
LLMNR/NBT-NS Poisoning - from Windows
So let's imagine we're on a Windows computer, we can also do this attack, we're going to see the process with the Inveigh tool, a tool like responder but written in PowerShell and C#
Start using Inveigh
Now we need to start Inveigh with LLMNR and NBNS spoofing, and output to the console and write to a file.
And we see some hits, the interface is very similar to Responder
It's good to know that the Powershell version is not updated anymore, the author updates the C# version
to run the C# tool we can just:
Practical Example
I first connect through RDP:
I find the Inveigh file:
I run the exe file:
And quickly get the hash of svc_qualys:
I take it on my local machine, put it in a file and launch hashcat:
Last updated