What are LLMNR together with NetBIOS-NS? They’re both methods of resolving hostnames to IP addresses. On your network if you lot test to contact a organization past times advert offset of all DNS volition survive used, but if that fails LLMNR volition survive attempted followed past times NetBIOS. LLMNR is the successor to NetBIOS together with it supports IPv6 together with multicast addresses.
If a user tries to access a organization together with it cannot survive resolved (for lawsuit the user mistypes the address) hence an LLMNR/NetBIOS asking volition survive sent over multicast or broadcast respectively. An assaulter tin give the sack response to these requests together with displace the victim to connect to the attacker’s machine.
It’s non difficult to become running though together with it’s uncomplicated together with characteristic packed, supporting LLMNR, NetBIOS together with MDNS poisoning every bit good every bit rogue HTTP/SMB/MSSQL/FTP/LDAP servers. Which modules are enabled or disabled tin give the sack all survive configured from inside Responder.conf, but if you lot precisely desire to become it up, running together with poisoning for you lot precisely run:
Open Group Policy editor: Start -> Run -> gpedit.msc
Navigate to DNS Client: Local Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> DNS Client
Set “Turn Off Multicast Name Resolution” to Enabled.
Disable NetBT on kick – you lot tin give the sack purpose grouping policy to fix the next PowerShell script to run on boot:
If a user tries to access a organization together with it cannot survive resolved (for lawsuit the user mistypes the address) hence an LLMNR/NetBIOS asking volition survive sent over multicast or broadcast respectively. An assaulter tin give the sack response to these requests together with displace the victim to connect to the attacker’s machine.
Metasploit
As always, the Metasploit Framework comes to the rescue amongst ii modules to spoof/poison LLMNR together with NetBIOS requests, those are:auxiliary/spoof/llmnr/llmnr_response auxiliary/spoof/nbns/nbns_responseHowever these modules volition solely displace the victims machine to connect to the assaulter together with won’t capture password hashes on their own, hence they should survive combined amongst these ii that will!
auxiliary/server/capture/smb auxiliary/server/capture/http_ntlmStart the ii auxiliary modules which volition run every bit background jobs hence start at to the lowest degree i of the capture modules (you tin give the sack run both together) but recall to fix an output file to brand things easy:
set JOHNPWFILE /tmp/smbhashes.johnThe side past times side stride is precisely patience! Wait a niggling piece together with you’re .john file volition survive filled amongst hashes from vulnerable machines – these tin give the sack survive cracked amongst John the Ripper.
Responder
There’s an choice tool to Metasploit, since it’s ever expert to convey a innovation B. That comes inwards the flat of Responder, a uncomplicated automated tool available from here: https://github.com/SpiderLabs/ResponderIt’s non difficult to become running though together with it’s uncomplicated together with characteristic packed, supporting LLMNR, NetBIOS together with MDNS poisoning every bit good every bit rogue HTTP/SMB/MSSQL/FTP/LDAP servers. Which modules are enabled or disabled tin give the sack all survive configured from inside Responder.conf, but if you lot precisely desire to become it up, running together with poisoning for you lot precisely run:
python Responder.py -i local-ip -I interface example: python Responder.py -i 192.168.1.77 -I enp0s20Once it captures a hash it’ll display it to stdout for you!
Defending Against LLMNR together with NBT-NS Poisoning
Generally speaking LLMNR together with NetBIOS-NS are non required on networks together with tin give the sack survive disabled, effectively preventing this attack. However it must survive disabled on each machine on the network. So here’s the easiest agency I could discovery to create this:Disable LLMNR
LLMNR tin give the sack survive disabled estate broad through grouping policy:Open Group Policy editor: Start -> Run -> gpedit.msc
Navigate to DNS Client: Local Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> DNS Client
Set “Turn Off Multicast Name Resolution” to Enabled.
Disable NetBIOS
Influenza A virus subtype H5N1 lot of blogs together with article sites offering a really manual method of disabling NetBIOS which involves reconfiguring each interface of each machine on the network, every bit an choice the next script tin give the sack survive fix every bit a startup script across all machines on the network together with effectively disables NetBIOS over TCP/IP on each interface automatically on organization startup:Disable NetBT on kick – you lot tin give the sack purpose grouping policy to fix the next PowerShell script to run on boot:
set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip* -Name NetbiosOptions -Value 2
If you lot don’t convey Powershell available hence the next VBS tin give the sack create it too:
WScript.Echo "[ ] Disabling NetBIOS on All Interfaces" Set ObjWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\.rootdefault:StdRegProv") ObjWMI.EnumKey &H80000002, "SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces", arrSubKeys If IsNull(arrSubKeys) Then WScript.Quit WScript.Echo "[*] Searching for Network Adapaters." For Each Adapter In arrSubKeys WScript.Echo "[+] Disabling NetBT on " & Adapter objWMI.SetDWORDValue &H80000002, "SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces" & Adapter, "NetbiosOptions", 2 Next WScript.Echo "[+] DONE: Disabling NetBIOS on All Interfaces"
