LLMNR and NetBIOS-NS Spoofing with Responder
Published: 12 April 2020
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS-Name Service (NBT-NS) are name resolution protocols that are enabled by default on Windows machines. They’re both used as a fallback for DNS. If a machine requests a hostname, such as when attempting to connect to a file-share, and the DNS server doesn’t have an answer – either because the DNS server is temporarily unavailable or the hostname was incorrectly typed – then an LLMNR request will be sent, followed by an NBT request. LLMNR is a multicast protocol and NBT-NS is a broadcast protocol.
Therefore, an attack can take place where an attacker responds to these requests with illegitimate requests. For example, directing the requesting user to connect to the attacker's machine where an authentication attempt will be made – disclosing hashed credentials for the targeted user.
Responder is very simply to use and includes a sensible default configuration meaning that it can be run by simply including the “-I” flag and setting the name of the network interface to run on:
At this point, just wait! If a user mistypes a machine name, if the DNS server is temporarily unavailable, or if there's another similar DNS failure then users will begin to multicast their name requests and Responder will intercept them. If the credentials are sent in plaintext they will be displayed to the screen, or more likely, you'll receive hashed credentials for something like a file-share connection:
At this point, these credentials could be cracked using a common tool like John the Ripper or Hashcat. If you need to crack them very quickly, then our post on Hashcracking with AWS could help!
Posts broken down by category
Articles concentrating on network and operating system level attacks.
Articles covering attacks against web applications and their associated APIS.
Articles concentrating on past data breaches, looking for lessons learned.
Articles covering breaking into wireless networks and how to keep them safe.