<aside> 📌 Summary

</aside>

LLMNR Poisoning

Definition

LLMNR poisoning is a cyber attack that exploits the Link-Local Multicast Name Resolution protocol to intercept DNS queries, leading to a malicious redirection of network traffic for unauthorized access or data theft.

LLMNR poisoning steps :

1. A machine tries to connect to a non-existent SMB share and it fails.

2. The machine sends an LLMNR broadcast request to find the share. Request that we intercept.

3. Our running tool sends a response announcing we can connect the machine to it if the machine gives us credentials.

4. We got some users’ hash.

Proof of Concept

MITM with Responder

First, we need to set up https://github.com/lgandx/Responder. In our case we’ll use the following parameters

• -I ens33 : The listening interface, you can use ip -c -br a to know the interface name
• -dwP
  • d: For DHCP, to answer DHCP requests
  • w: For WPAD, a proxy auto-config protocol for web browsers
  • P: For ProxyAuth, to force proxy authentication
  • v: For Verbose, to see any hashe even if we have already seen it

responder -I ens33 -dwPv

<aside> 💡 Note: Responder needs to be running as root

</aside>

<aside> 💡 Note: In this use case, all server and prisoners listeners should be On.

</aside>

Then when an event occurs, we can catch some hash. An event can be as simple as someone that miss typing a share name. In this example, we simulated it by trying to access ORB-CD instead of ORB-DC.

Target trying to connect to a nonexistent share

Captured NTMLv2 Hash

Password Cracking with Hashcat

Now that we have credentials, we can try to crack those. For now, let's use https://github.com/hashcat/hashcat. The NTLMv2’s Hashcat module is numbered 5600. We can find it back by running hashcat --help | grep -i "NTLM" or by taking a look at their site linked below.

Now we can store the previous hash in a file and crack it :

hashcat kisaka.hash -m 5600 /usr/share/wordlists/rockyou.txt

Some options and wordlist may be more relevant :

• --force: forces to run on a VM