The Hacker Recipes
GitHubTwitterExegolTools
Search…
Introduction
Active Directory
Reconnaissance
Movement
Credentials
MITM and coerced auths
ARP poisoning
DNS spoofing
DHCP poisoning
DHCPv6 spoofing
WSUS spoofing
LLMNR, NBT-NS, mDNS spoofing
ADIDNS poisoning
WPAD spoofing
MS-EFSR abuse (PetitPotam)
MS-RPRN abuse (PrinterBug)
MS-FSRVP abuse (ShadowCoerce)
MS-DFSNM abuse (DFSCoerce)
PushSubscription abuse
WebClient abuse (WebDAV)
🛠️ NBT Name Overwrite
🛠️ ICMP Redirect
🛠️ Living off the land
NTLM
Kerberos
DACL abuse
Group policies
🛠️ Trusts
Built-ins & settings
Netlogon
Certificate Services (AD-CS)
Exchange services
Print Spooler Service
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ mobile apps
Android
iOS
Powered By GitBook
LLMNR, NBT-NS, mDNS spoofing
MITRE ATT&CK™ Sub-technique T1557.001
In some environments (like Windows ones), multicast name resolution protocols are enabled by default, such as LLMNR (Local-Link Multicast Name Resolution), NBT-NS (NetBIOS Name Service) and mDNS (multicast Domain Name System). Those environments can fallback to those protocols when standard domain name resolution protocols fail. Windows systems attempt to resolve names in the following order: DNS, LLMNR and NBT-NS.
Attackers can then answer those multicast or broadcast queries. The victims are then redirected to the attacker asking them to authenticate in order to access whatever they ask for. Their authentication is then relayed.
Responder (Python) and Inveigh (Powershell) are great tools for name poisoning. In addition to name poisoning, they also have the ability to start servers (listeners) that will capture authentications and echo the NTLM hashes to the attacker.
UNIX-like
Windows
The following command will make Responder analyze the network to see if LLMNR, NBT-NS and mDNS are used, and to inspect BROWSER requests.
responder --interface "eth0" --analyze
responder -I "eth0" -A
The following command will start LLMNR, NBTS and mDNS spoofing. Name resolution queries for the wpad server will be answered just like any other query. Fake authentication servers (HTTP/S, SMB, SQL, FTP, IMAP, POP3, DNS, LDAP, ...) will capture NTLM hashes.
responder --interface "eth0"
responder -I "eth0" -A
The following command will make Inveigh inspect the network to see if LLMNR, NBT-NS and mDNS are used.
Invoke-Inveigh -ConsoleOutput Y -Inspect
The following command will start LLMNR, NBTS and mDNS spoofing. Name resolution queries for the wpad server will be answered just like any other query. Fake authentication servers (HTTP/S, SMB, DNS, LDAP, ...) will capture NTLM hashes (even from machine accounts) and set the Challenge to 1122334455667788 (to crack NTLM hashes with crack.sh).
Inveigh also starts a WPAD rogue proxy server by default for WPAD abuse.
Invoke-Inveigh -ConsoleOutput Y -LLMNR Y -NBNS Y -mDNS Y -Challenge 1122334455667788 -MachineAccounts Y
Flags like -ADIDNS, -ADIDNSForest, -ADIDNSCleanup, -ADIDNSThreshold and more can be set to combine LLMNR, NBT-NS and mDNS spoofing with ADIDNS spoofing.
This wiki page can be really useful to help master Inveigh and its support functions
  • Clear-Inveigh to clear the $inveigh hashtable
  • Get-Inveigh to get data from the $inveigh hashtable
  • Stop-Inveigh to stop all running Inveigh modules
  • Watch-Inveigh to enable real time console output

References

Protocoles NBT-NS, LLMNR et exploitation des failles - Rémi VERNIER
Rémi VERNIER
Local Network Attacks: LLMNR and NBT-NS Poisoning - Stern Security
Stern Security
Previous
WSUS spoofing
Next
ADIDNS poisoning
Last modified 5mo ago
Copy link