LLMNR refers to Link Local Multicast Name Resolution which is a protocol that acts as a fallback for failure in DNS lookups on a network. It allows the device to resolve hostnames to IP addresses when a request is initiated.
The security risk lies as following. If the user mistypes, or sends a request for a missing hostname on the network, then LLMNR is used to ask through the whole subnet of whether the requested address exists or not. In this case if there’s an attacker sitting in the network, then it can receive that request and respond to it claiming to be the requested resource. After that the user will have to authenticate to access the resource which will send the NTLM password hash to the attacker. The hash depending upon the complexity of the password can be cracked using Hashcat or John The Ripper exposing the user credential.
This is also a kind of MITM attack considering the attacker already has initial access to the network and is accepting requests from unsuspecting users who believe they are request accessing from a legitimate resource.
In this article I’ll demonstrate the attack on my local Active Directory lab running on VMWare. I am using the Windows 2016 Server as the domain controller along with a Windows 10 Enterprise machine for the domain user.
The first step is to turn on Responder on the attacker machine.
responder -dwv -I eth0Press enter or click to view image in full size
Press enter or click to view image in full size
Responder is a tool used for LLMNR andNBT-NS poisoning. As we can see above, it’s listening for incoming events. This is where we will receive the captured NTLM hashes of the users.
Join Medium for free to get updates from this writer.
Now in the user machine I will request the resource by entering the IP of the attacker machine for demonstration purposes.
Press enter or click to view image in full size
So upon sending the request we receive the following pop-up.
Press enter or click to view image in full size
Now, if we check Responder, we will see the NTLMv2 password hash of the user.
Press enter or click to view image in full size
Now we can crack this password hash using Hashcat as follows. The time required to crack the password depends upon its complexity and the hardware you are using.
To crack the password with Hashcat, copy the obtained hash in a text file and use the following to initiate the cracking process.
hashcat -m 5600 hash.txt rockyou.txt Here the mode 5600 is used to crack NTLMv2 hashes. You can learn more about it by visiting https://hashcat.net/wiki/doku.php?id=example_hashes
Press enter or click to view image in full size
After cracking the password the attacker will have successfully obtained the credentials and can conduct lateral movement in the domain.
This was it for this write-up and I hope you find it worth your time. Stay tuned for more upcoming technical write-ups!