❎
wiki.hackerlab.cz
  • About me
  • Vulnerability Assessment
  • CLOUD PENTESTING
    • AWS
    • Microsoft Azure
  • REST API - Bypasses and Privilege Escalations
  • Web Pentesting
    • LDAP Injection
    • Django ORM Exploitation
    • HTTP Request Smuggling
    • Server Side Template Injection (SSTI)
    • Insecure Deserialization
    • Brute force
    • Shell Fu - Oneliners
    • CORS
    • Special Chars & NULL Bytes
    • XSS
    • XXE
    • Nuclei
    • SQL Injection
    • Blind SQL Injection
    • SQLmap
    • NoSQL Injection
    • CRLF Injection
    • Input Validation - Fuzz1
    • HTTP Headers - X-Forwarded
    • Log4j
    • Enumeration with Wordlists
    • Bug Bounty - Web Recon
    • HTTP Proxy Override
    • CSV Injection
    • Windows Forbidden File Names
    • Path Traversal
    • OS Command Injection
    • Open Redirect
    • JWT Token
    • Burp Extensions - TokenJAR & ATOR
    • Upload RCE
    • GUID and UUIDs
  • Toolset
    • Git - Repo and Tools
    • Docker for Pentesters
  • Infrastructure Pentesting
    • Active Directory (AD)
      • Vulnerable Machines (labs)
      • Pass the hash
      • Azure Active Directory
      • Password Cracking
      • Domain Enumeration
      • LLMNR Poisoning with Responder
      • HTB Forest
      • LDAP
      • WinRM
      • SMB & RPC Enumeration
      • SMB Relay
      • Impacket
      • Bloodhound
      • OWA Exchange Server 2019
      • Active Directory Web Services (ADWS)
      • Active Directory Attacks
    • Mail Server Attacks
    • NFS Enumeration
    • Windows PostExploitation
      • Windows Enumeration
      • Powershell Payloads
      • Add RDP Account & Ride on Meterpreter
    • Dump File Analysis
  • Other Pentest Projects
    • Security Projects
  • WIFI Pentesting
    • Kali Linux - Alpha card AWUS 1900 (VirtualBox)
    • Active Card & Monitor Mode
    • Aircrack-ng Suite
  • Certs
    • Burp Suite Certified Practitioner
  • Linux
    • Network Manager
  • Books
    • The Hacker Playbook 3
Powered by GitBook
On this page
  • LLMNR Protocol
  • Attack
  • Remediation

Was this helpful?

  1. Infrastructure Pentesting
  2. Active Directory (AD)

LLMNR Poisoning with Responder

Link-Local Multicast Name Resolution - Respond to a service with a username and password hash

PreviousDomain EnumerationNextHTB Forest

Last updated 3 years ago

Was this helpful?

LLMNR Protocol

Attack

Run responder in the morning and at lunchtime when users log on and log off. The responder is part of Impacket python library. 

python /usr/share/responder/Responder.py -I eth0 -rdw -v

The responder is listening for events related to protocols LLNMR, NBT-NS, and DNS/MDNS. It also spins up many services to attract targets, for example, HTTP, WPAd, SMB, SQL, LDAP, RDP, and so on.

Wait for responses, grab the NTLMNv2 hashes, and crack them using the hashcat.

hashcat -m 5600 gathered-ntlmn-hashes.txt wordlist.txt

Remediation

Disable LLMNR and NetBIOS-NS, use a strong passwords which are hard to crack >14

LogoSecurity Concerns for NetBIOS and LLMNR Protocols | Crowe LLPCroweUSA