LLMNR Poisoning (Internal)

Note: Network Environment

Given that LLMNR is a name resolution protocol that works on the Local Area Network (LAN), this attack method cannot be performed from a different subnet. The attacker would have to compromise a host on the LAN and upload tools, or plant a device on the LAN.

What is LLMNR?

A way to resolve hostnames on the same LAN when DNS is not available.

A host queries the local DNS server for a particular hostname
The DNS server responds NXDOMAIN meaning the hostname was not found
The host then sends a broadcast on the link-local multicast address to ask its fellow LAN members if they know

What's the Flaw?

Because LLMNR is a layer-2 broadcast, all hosts on the LAN are going to receive it. That means that an attacker with access to the LAN is going to be able to intercept this broadcast and reply to the broadcast with a spoofed address.

Wireshark Analysis

Facts to Know
- 10.80.80.2 is the Domain Controller and DNS resolver
- 10.80.80.3 and fe80::53d4:c100:1a21:44ac are the SMB client's IPv4 and IPv6 (link-local) addresses
- 10.80.80.5 and fe80::17a7:ffc9:bab0:61aa are Kali's IPv4 and IPv6 (link-local) addresses
Traffic Analysis
- Frame 1 shows the SMB client asking the DNS server what is the IP address for johnspc.ad.lab
- Frame 2 shows the DNS server responding that the hostname doesn't exist
- Frames 7-10, show the SMB client send a LLMNR broadcast for a A (IPv4) and AAAA (IPv6) lookup for the hostname, johnspc
- Frames 12 & 14 are responder running on Kali spoofing that johnspc is at 10.80.80.5 -- where 10.80.80.5 is Kali's IP address.
- Frames 19, 22, 23, 27, and 28 show the SMB client establishing an SMB session with Kali's IPv6 address

How is it Exploited?

Capturing NetNTLMv2 Hashes

As we've seen in the PCAP analysis above, using a tool like responder, the attacker can act as a man-in-the-middle to achieve multiple objectives:

Capture LLMNR broadcasts on the LAN
Spoof the IP address of invalid hostnames
Host a false SMB server to which clients will connect and reveal their NetNTLMv2 hashes

Relaying NetNTLMv2 Hashes

The attacker can turn this attack up a notch by coupling responder with other tools such as ntlmrelayx.

ntlmrelayx will be hosting a few of the false servers, so they should be disabled in responder
Then, responder spoofs the IP address for the invalid hostname
The client connects and ntlmrelayx passes the captured NetNTLMv2 hashes around the network to see what other servers / shares scan be accessed with this credential

Mitigations

LLMNR Poisoning

Disable LLMNR as a protocol on the network

NetNTLMv2 Relaying

Enable and require SMB signing on all Windows hosts

The Attack

Various responder modules can be enabled/disabled in the configuration file: /etc/responder/Responder.conf

# Using -v with responder allows for continuous display of hashes
# Where the default behavior is to only display a captured hash once
sudo responder -I <interface-name> -dvw

Enumerating Hosts and Identifying the Domain Controllers

LLMNR Poisoning (Internal)

SMB Relay (Internal/External)

IPv6 DNS Spoofing (Internal)

NULL Session Enumeration (Internal/External)

Using Faketime for Ad-Hoc Kerberos Authentication

Kerberos Pre-Auth Username Enumeration

AS-REP Roasting (Internal/External)

Passback Attacks (Internal/External)

PrintNightmare (Internal/External)

NTLM Credential Stuffing (Internal/External)

PowerShell AD Module on Any Domain Host as Any User

Dumping DNS Records with adidnsdump

CrackMapExec

PowerView

BloodHound

Remote Bloodhound

LdapDomainDump

LdapSearch

Enum4Linux

GetADUsers.py

GetUserSPNs.py

Manual Enumeration

Extracting Kerberos AS-REQ Pre-Auth Hashes from PCAPs

Mimikatz

Dumping Passwords from Windows Credential Manager

Dumping Hashes without Mimikatz

Impacket-Addcomputer

DCSync

Pass the Password

Pass the Hash

Pass the Ticket

Pass the Key

Password & Credential Brute Force

Token Impersonation

Spawn Processes as Other Users

Kerberoasting

Group Policy Preferences (GPP)

PrintNightmare

ZeroLogon

xfreerdp

LLMNR Poisoning (Internal)

Note: Network Environment

What is LLMNR?

What's the Flaw?

How is it Exploited?

Capturing NetNTLMv2 Hashes

Relaying NetNTLMv2 Hashes

Mitigations

LLMNR Poisoning

NetNTLMv2 Relaying

The Attack