War Room

Shells from above

RSM logo

Home > Back to Basics > Back to Basics: LLMNR and NBT-NS Spoofing

Back to Basics: LLMNR and NBT-NS Spoofing

By

After performing initial network reconnaissance and enumeration in a penetration test, there are a vast number of potential pathways into obtaining an initial foothold in a targeted network that can be overwhelming to a pen tester. One of the most basic, but tried and true initial attack vectors that I’ve seen utilized in penetration tests is performing Link-Local Multicast Name Resolution (LLMNR) and NetBIOS-Name Services (NBT-NS) spoofing.

In this “Back to Basics” post, we’ll run over how to perform LLMNR/NBT-NS spoofing and actions that can be taken to prevent this attack from being performed. Videos are included in both sections of this post that demonstrate these actions being performed in real-time.

What is LLMNR and NBT-NS Spoofing?

Prior to performing this spoofing attack, basic network reconnaissance and enumeration actions have to be performed wherein network traffic is analyzed. This can be achieved through using a variety of publicly available scripts and tools, such as MASSCAN or Nmap for scanning or Wireshark to capture local network traffic.

When analyzing this network traffic, it is often revealed that an organization may be using a variety of communication protocols including LLMNR, NBT-NS, and IPv6 (to be covered in a future blog post), all of which can be exploited by a threat actor in spoofing and poisoning attacks. When LLMNR and NBT-NS are detected, a spoofing attack can be performed, which can allow us to capture password hashes.

The LLMNR and NBT-NS protocol are often enabled by default on Windows-operating systems and are used to perform name resolution for the names of remote systems on the network that do not have a Domain Name Service (DNS) server or DNS client configuration. When a system cannot resolve a host name using the local host file or through a DNS request, systems using LLMNR and NBT-NS will broadcast a request on local subnetworks, requesting IP addresses of specific hosts. A threat actor (or in this case, penetration tester) could then intercept these broadcasts and respond and claim to be the resource in question. Victim systems may then attempt to authenticate to the attacker system and transmit hashed credentials in the process.

If the hashed credentials provided are weak due to a weak password policy or if an attacker has enough time, the plaintext value of the password hash can be derived through offline bruteforce attacks. This results in the attacker obtaining a valid set of user credentials and therefore, some sort of access to the domain.

Obtaining Password Hash
Hash Obtained

How to Perform LLMNR/NBT-NS Spoofing:

The first step in LLMNR/NBT-NS spoofing attack is to understand the internal network. It is crucial that you understand the environment you are working in. This can be done by using a packet analyzer such as Tcpdump or Wireshark and filtering specifically for the LLMNR and NBT-NS protocols.

Using tcpdump to Identify LLMNR and NBT-NS
Using tcpdump
Filtered tcpdump Results Revealing LLMNR in Use
Filtered Results Revealing LLMNR in Use
Filtered Results Revealing tcpdump NBT-NS in Use
Filtered Results Revealing NBT-NS in Use

After verifying that LLMNR and NBT-NS are being used in the organizations network, the following steps can be performed to exploit it:

  1. First, search for hosts that have SMB signing disabled or have SMB signing enabled but not required. These hosts will then be used with the Python script ntlmrelay.py later in the attack.
    Identifying Hosts Using SMB Misconfigurations
    Identifying Hosts Using SMB Misconfigurations
    Identifying Hosts Using SMB Misconfigurations
    Identifying Hosts Using SMB Misconfigurations
  2. Prior to using Responder in conjunction with ntlmrelayx.py, the Responder.cong file should be modified to disable the SMB and HTTP servers. Examples of using Responder and ntlmrelay.py can be found here.
    Configuring Responder to disable SMB and HTTP
    Configuring Responder
  3. In one terminal, set up and run ntlmrelayx.py and while setting up a terminal to execute this script, utilize another separate terminal to set up and run Responder.
    Running ntlmrelayx.py
    Running ntlmrelayx.py
    Running Responder
    Running Responder
  4. By using these tools in conjunction, Responder will begin poisoning LLMNR and NBT-NS Protocols. The ntlmrelayx.py script will receive the relayed poisoned answers from Responder and, when possible, capture hashes on vulnerable hosts.
    Responder Poisoning the LLMNR and NBT-NS Protocols
    Responder Poisoning the LLMNR and NBT-NS Protocols
    Obtaining User Hashes
    Obtaining User Hashes

How to Remediate the Issue

To successfully address this attack vector, LLMNR and NBT-NS must be disabled within the network.

To disable LLMNR on Microsoft Windows via Group Policy, create a New or Update an existing Group Policy and Edit accordingly:

  1. Navigate to Computer Configuration > Administrative Templates > Network > DNS Client.
  2. In the DNS client folder, double-click on Turn Off Multicast Name Resolution and set it to Enabled.

To disable NetBIOS Naming Services on a workstation by workstation basis (this can be automated via a Powershell script):

  1. Open the Control Panel.
  2. Under Network and Internet, click View Network Status and Tasks.
  3. Click Change Adapter Settings.
  4. Right-click on Local Area Connection and then click Properties.
  5. Double-click on Internet Protocol Version 4

Special thanks to Hunter Ezzell for providing step-by-step instructions and AJ Hammond for providing video, screenshots, and reviewing the article for accuracy.