In this article, nosotros volition demonstrate you lot how the default demeanor of Microsoft Window's refer resolution services tin travel abused to bag authentication credentials.
If a windows customer cannot resolve a hostname using DNS, it volition utilisation the Link-Local Multicast Name Resolution (LLMNR) protocol to inquire neighbouring computers. LLMNR tin travel used to resolve both IPv4 in addition to IPv6 addresses.
If this fails, NetBios Name Service (NBT-NS) volition travel used. NBT-NS is a similar protocol to LLMNR that serves the same purpose. The brain divergence betwixt the 2 is NBT-NS industrial plant over IPv4 only.
On these occasions when LLMNR or NBT-NS are used to resolve a request, whatsoever host on the network who knows the IP of the host existence asked most tin reply. Even if a host replies to 1 of these requests alongside wrong information, it volition soundless travel regarded every bit legitimate.
H5N1 number of attack tools select been developed which volition reply to all of these queries inwards the hope of receiving sensitive information. Responder, developed past times Trustwave SpiderLabs, is 1 of these tools that tin respond LLMNR in addition to NBT-NS queries giving its ain IP address every bit the goal for whatsoever hostname requested.

Using Responder

To demonstrate the attack, nosotros volition travel using Kali Linux to bag the credentials of a Windows 7 user. Kali has Responder pre-installed in addition to tin travel establish at the directory “/usr/share/responder/”.
By typing “responder –h” nosotros tin come across a listing of options available:
# responder -h  Options:    --version             demonstrate program's version number in addition to leave of absence    -h, --help            demonstrate this assist message in addition to leave of absence    -A, --analyze         Analyze mode. This pick allows you lot to come across NBT-NS,                          BROWSER, LLMNR requests without responding.    -I eth0, --interface=eth0                          Network interface to utilisation    -b, --basic           Return a Basic HTTP authentication. Default: NTLM    -r, --wredir          Enable answers for netbios wredir suffix queries.                          Answering to wredir volition probable intermission materials on the                          network. Default: False    -d, --NBTNSdomain     Enable answers for netbios domain suffix queries.                          Answering to domain suffixes volition probable intermission materials                          on the network. Default: False    -f, --fingerprint     This pick allows you lot to fingerprint a host that                          issued an NBT-NS or LLMNR query.    -w, --wpad            Start the WPAD rogue proxy server. Default value is                          False    -u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY                          Upstream HTTP proxy used past times the rogue WPAD Proxy for                          outgoing requests (format: host:port)    -F, --ForceWpadAuth   Force NTLM/Basic authentication on wpad.dat file                          retrieval. This may crusade a login prompt. Default:                          False    --lm                  Force LM hashing downgrade for Windows XP/2003 in addition to                          earlier. Default: False    -v, --verbose         Increase verbosity.
For our first demonstration, the only arguments nosotros demand to provide to Responder are the interface nosotros want to run it on:
# responder –I eth0
nosotros volition demonstrate you lot how the default demeanor of Microsoft Window LLMNR in addition to NBT-NS Poisoning Using Responder
With this running, if a customer instantly tries to resolve a refer non inwards the DNS, our instance of Responder should toxicant the LLMNR in addition to NBT-NS requests that are sent out.
Now on a Windows 7 machine, nosotros volition asking a network resources that does non be inside our DNS. For this example, nosotros volition utilisation the file explorer in addition to asking access to a network resources “\\fielshare”.

 nosotros volition demonstrate you lot how the default demeanor of Microsoft Window LLMNR in addition to NBT-NS Poisoning Using Responder
If a user accidentally typed this instead of a legitimate hostname inwards the DNS which could travel “\\fileshare” Responder should order that its IP is the place of “fielshare”. The Windows 7 machine volition so seek to connect to “\\fielshare” using SMB which it believes is located on the Kali host. The SMB procedure volition send the Windows 7 username in addition to hashed password to the Kali host.
nosotros volition demonstrate you lot how the default demeanor of Microsoft Window LLMNR in addition to NBT-NS Poisoning Using ResponderAbove, you lot tin come across Responder has sent a poisoned respond to the LLMNR asking sent past times our Windows 7 machine for the refer “fielshare”. The Windows 7 machine so tried to connect to our rogue SMB server, thinking it was the host “fielshare” in addition to thus provided their username in addition to hashed password.
If nosotros hold off at the packets, nosotros tin come across each pace of the process:
nosotros volition demonstrate you lot how the default demeanor of Microsoft Window LLMNR in addition to NBT-NS Poisoning Using Responder
In bundle number nine nosotros tin come across the Windows 7 machine (192.168.1.101) sending a multicast question using the LLMNR protocol to resolve the refer “fielshare”. Packet xi shows the Kali machine (192.168.1.102) responding in addition to maxim fielshare tin travel establish at 192.168.100.102, its ain IP address.
Packet seventeen so shows the Windows 7 host sending a SMB connecter request. From packets xix in addition to twenty-one to twenty-nine you lot tin come across the SMB process. The Windows 7 host is supplying their credentials to the Kali host inwards bundle twenty-three.
This type method of laid on volition solely run if the hostname that the customer wants to connect to cannot travel resolved past times DNS.

WPAD

H5N1 to a greater extent than reliable agency to larn usernames in addition to password hashes is through the WPAD protocol. If a browser is configured to automatically regain proxy settings, so it volition brand utilisation of WPAD protocol to seek in addition to locate in addition to download the wpad.dat Proxy Auto-Config (PAC) file. H5N1 PAC file defines proxy servers that a spider web browser should utilisation for dissimilar URLs.
The WPAD protocol industrial plant through attempting to resolve the hostname "wpad"through a serial of refer requests. Further data on why this tin travel a safety number tin travel establish at https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol#Security.
By default, Internet Explorer has WPAD enabled:

 nosotros volition demonstrate you lot how the default demeanor of Microsoft Window LLMNR in addition to NBT-NS Poisoning Using Responder
Google Chrome in addition to Firefox are configured past times default to utilisation the systems settings for locating the PAC file:
nosotros volition demonstrate you lot how the default demeanor of Microsoft Window LLMNR in addition to NBT-NS Poisoning Using Responder
Responder has back upwardly for poisoning WPAD requests in addition to serving a valid wpad.dat PAC file.
For this minute demonstration nosotros utilisation the next arguments for Responder:
# responder -I eth0 -wF
Now when a user on the local network uses Internet Explorer, the browser should fetch the wpad.dat file from Responder. Because nosotros supplied the declaration –F, Responder volition also forcefulness the customer to authenticate when they seek to asking the wpad.dat file. Sneaky, huh?
As our Responder laid on is performed from the local network, Internet Explorer should recognise the service every bit existence inwards the Intranet safety zone in addition to automatically provide the user’s credentials without whatsoever prompt from the user. Google Chrome volition also automatically produce this nevertheless Firefox prompts the user to manually travel inwards their credentials, something to send inwards heed if you lot are testing a network that has Firefox users.
nosotros volition demonstrate you lot how the default demeanor of Microsoft Window LLMNR in addition to NBT-NS Poisoning Using Responder Firefox does non automatically provide Windows credentials
If successful, the Responder output volition hold off similar below:
 nosotros volition demonstrate you lot how the default demeanor of Microsoft Window LLMNR in addition to NBT-NS Poisoning Using Responder
Here you lot tin come across Responder is answering the asking from the Windows host for the refer “wpad” alongside its ain IP every bit the location. It has also logged that it has sent the WPAD file to the Windows 7 host at 192.168.100.101.
Again, Wireshark tin travel used to farther analyse the procedure pace past times step:
nosotros volition demonstrate you lot how the default demeanor of Microsoft Window LLMNR in addition to NBT-NS Poisoning Using Responder
The outset highlighted department shows the LLMNR question for the host “wpad” existence sent past times the Windows 7 host in addition to answered past times the Kali host running Responder. The final highlighted department shows the Windows 7 host getting the wpad.dat file past times providing their credentials to the Kali host.
On both of the higher upwardly occasions, the captured hashes are output into the logs file of Responder (/usr/share/responder/logs).
 nosotros volition demonstrate you lot how the default demeanor of Microsoft Window LLMNR in addition to NBT-NS Poisoning Using Responder
In the higher upwardly image, you lot tin come across nosotros select captured hashes from both the SMB in addition to HTTP illustration that was only shown. Since they incorporate the hashed password of the same user (user2) it doesn’t actually thing which 1 nosotros use.
I’m going to utilisation the “SMB-NTLMv2-SSP-192.168.100.101.txt” file. For demonstration, the password cracker john is going to travel used alongside the “rockyou.txt” wordlist. The next ascendency volition travel used:
# john SMB-NTLMv2-SSP-192.168.100.101.txt –wordlist=/usr/share/wordlists/rockyou.txt
nosotros volition demonstrate you lot how the default demeanor of Microsoft Window LLMNR in addition to NBT-NS Poisoning Using Responder
Since the password was inwards the wordlist, the password hash was cracked successfully.
In our sense of using this technique during penetration testing engagements, nosotros select real oftentimes captured in addition to cracked credentials for Domain Admin accounts, leading to rapid compromise of the entire Active Directory domain in addition to its resources. One farther argue why administrators should non utilisation privileged accounts for non-administrative activities such every bit Internet browsing.

The Solution

To mitigate this laid on from potentially happening inwards your local network domain, it is best to disable LLMNR in addition to NBT-NS. Note that inwards the higher upwardly laid on scenarios, these protocols were solely used when no DNS entries existed for the queries. Providing your DNS server resolves the names that demand to travel establish inwards your network, the other protocols produce non demand running.
If your network environs includes computers running Windows versions 2000 in addition to earlier, NBT-NS may demand to remain enabled (see https://technet.microsoft.com/en-us/library/cc728457(v=ws.10).aspx). Mind you, if this is the case, you've got a whole charge of other safety considerations!

Disabling LLMNR

To disable LLMNR inwards your domain for DNS clients, opened upwardly gpedit.msc.
Navigate to Computer Configuration->Administrative Templates->Network->DNS client.
Locate the pick “Turn off multicast refer resolution” in addition to click “policy setting”:
 nosotros volition demonstrate you lot how the default demeanor of Microsoft Window LLMNR in addition to NBT-NS Poisoning Using Responder
Once the novel window opens, enable this option, press Apply in addition to click OK:
 nosotros volition demonstrate you lot how the default demeanor of Microsoft Window LLMNR in addition to NBT-NS Poisoning Using Responder

Disabling NBT-NS

One pick for disabling NBT-NS is to utilisation DHCP orbit options.

If using Microsoft's DHCP server, select the orbit that you lot desire to disable NBT-NS for. Right click “Scope Options” in addition to click “Configure Options”. In the illustration below, the DHCP orbit inwards which I desire to disable NBT-NS for is 192.168.1.100.
 nosotros volition demonstrate you lot how the default demeanor of Microsoft Window LLMNR in addition to NBT-NS Poisoning Using Responder
In the Scope Options window, navigate to the advanced tab, alter the drib downward window to “Microsoft Windows 2000 Options”:
 nosotros volition demonstrate you lot how the default demeanor of Microsoft Window LLMNR in addition to NBT-NS Poisoning Using ResponderSelect the pick “001 Microsoft Disable Netbios Option” from the listing in addition to alter its value to “0x2”, click Apply in addition to so OK:
nosotros volition demonstrate you lot how the default demeanor of Microsoft Window LLMNR in addition to NBT-NS Poisoning Using Responder

WPAD

To mitigate against the WPAD attack, you lot tin add together an entry for "wpad" inwards your DNS zone. Note that the DNS entry does non demand to signal to a valid WPAD server. As long every bit the queries are resolved, the laid on volition travel prevented.