search
GithubTwitter

LLMNR Poisoning

hashtag
What is LLMNR?

  • Used to identify hosts when DNS fails

  • Previously known as NBT-NS

  • Key flaw: services utilize a user's username and NTLMv2 hash when appropriately responded too

hashtag
Attack Flow

  • Trick victim into connecting to malicious server under our control

  • Capture hash

  • Service name cannot be resolvable over DNS

hashtag
Exploitation

# Run responder
python responder.py -I tun0 -rdwv

# Crack hash with hashcat
hashcat -a 0 -m 5600 hashes.txt rockyou.txt

hashtag
Mitigation

  • Disable LLMNR and NBT-NS

  • If the functions can't be disabled, then

    • require Network Access Control

    • require strong password policy

PreviousMITM & Relay AttacksNextSMB Relay

Last updated