Attacks - Active Directory Hacking

LLMNR Poisoning

What is LLMNR Poisoning?

LLMNR (Link-Local Multicast Name Resolution) Poisoning is an attack that exploits a Windows protocol used for name resolution when DNS fails. The attacker responds to LLMNR name queries, pretending to be the legitimate resource, and captures authentication attempts.

How it works?

  1. A user tries to access a network resource that is not in DNS.
  2. DNS lookup fails and LLMNR is used instead.
  3. System sends LLMNR broadcast to resolve name of resource requested.
  4. Attacker responds to the broadcast with a fake response.
  5. Target machine sends authentication hash to attacker machine.
  6. Attacker captures and attempts to crack the hash to gain access.

image source: tcm security

Demo Time

Weā€™ll use Responder to perform LLMNR poisoning. Responder is a tool designed to respond to specific NBT-NS (NetBIOS Name Service) queries and LLMNR queries.

First, start Responder:

sudo responder -I eth0 -dvwr

Now wait for someone on the network to mistype a share name or for DNS to fail. When this happens, youā€™ll see something like this:

[SMB] NTLMv2-SSP Client   : 192.168.1.10
[SMB] NTLMv2-SSP Username : LAB\administrator
[SMB] NTLMv2-SSP Hash     : administrator::LAB:1122334455667788:A1B2C3D4E5F6G7H8:0101000000000000..................................

You can then crack these hashes using hashcat:

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

Note: Best time to start LLMNR Poisoning is in the morning when people are still in the office and afternoon when people are out for lunch.

Mitigation

To protect against LLMNR Poisoning attacks:

  1. Disable LLMNR and NBT-NS

    • Through Group Policy
    • Under Computer Configuration > Administrative Templates
    • Turn off Multicast Name Resolution

  2. Network Security

    • Implement Network Access Control
    • Use Network Segmentation
    • Enable SMB Signing

  3. Authentication Security

    • Enforce Strong Password Policies
    • Use Multi-Factor Authentication
    • Implement Account Lockout Policies

  4. Monitoring

    • Monitor Network Traffic
    • Look for Suspicious Activities
    • Enable Logging

  5. Additional Measures

    • Keep Systems Updated
    • Use DNS Entries for All Resources
    • Train Users About Security Best Practices