LLMNR & NBT-NS Poisoning: How to Capture and Crack NTLMv2 Hashes for Domain Access

Listen to this Post

Featured Image

Introduction:

LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are protocols used in Windows networks for hostname resolution. Attackers can exploit these protocols to intercept authentication traffic, capture NTLMv2 hashes, and gain initial access to a domain. This article demonstrates how to perform LLMNR/NBT-NS poisoning, crack captured hashes, and secure your network against such attacks.

Learning Objectives:

  • Understand how LLMNR/NBT-NS poisoning works.
  • Learn to use Responder to intercept NTLMv2 hashes.
  • Crack captured hashes using Hashcat to obtain plaintext credentials.

1. Setting Up Responder for LLMNR/NBT-NS Poisoning

Command:

sudo responder -I eth0 -wrf

Step-by-Step Guide:

1. Install Responder:

git clone https://github.com/lgandx/Responder.git 
cd Responder 

2. Run Responder:

– `-I eth0` specifies the network interface.
– `-w` enables WPAD rogue server.
– `-r` enables rogue FTP server.
– `-f` enables fingerprinting.
3. Wait for Hashes: Responder will spoof responses and capture NTLMv2 hashes when users mistype hostnames.

2. Capturing NTLMv2 Hashes

Command:

sudo responder -I eth0 -v

Step-by-Step Guide:

  1. Monitor Traffic: Run Responder in verbose mode (-v) to see real-time hash captures.
  2. Trigger a Request: A victim mistyping a server name (e.g., `\\filesrv1` as \\filesrv) sends a request, and Responder captures the hash.
  3. Save Hashes: Captured hashes are stored in /usr/share/responder/logs/.

3. Analyzing Captured NTLMv2 Hashes

Command:

cat /usr/share/responder/logs/HTTP-NTLMv2-192.168.1.100.txt

Step-by-Step Guide:

  1. Open the captured file to view the hash format:
    username::DOMAIN:1122334455667788:NTLMv2_HASH:1122334455667788
    

2. Extract the hash for cracking.

4. Cracking NTLMv2 Hashes with Hashcat

Command:

hashcat -m 5600 hash.txt rockyou.txt -O

Step-by-Step Guide:

1. Install Hashcat:

sudo apt install hashcat

2. Prepare the Hash File: Save the NTLMv2 hash in hash.txt.

3. Run Hashcat:

– `-m 5600` specifies NTLMv2 mode.
– `rockyou.txt` is a common wordlist.
– `-O` enables optimized cracking.
4. Retrieve Plaintext Password: Once cracked, Hashcat displays the password.

5. Mitigating LLMNR/NBT-NS Poisoning Attacks

Windows Command (Disable LLMNR):

Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0

Step-by-Step Guide:

1. Open Group Policy Editor (`gpedit.msc`).

2. Navigate to:

Computer Configuration → Administrative Templates → Network → DNS Client

3. Disable “Turn Off Multicast Name Resolution”.

  1. Enforcing SMB Signing to Prevent Relay Attacks

Windows Command:

Set-SmbServerConfiguration -RequireSecuritySignature $true -Force

Step-by-Step Guide:

1. Open PowerShell as Admin.

2. Run the command to enforce SMB signing.

3. Verify with:

Get-SmbServerConfiguration | Select-Object RequireSecuritySignature

7. Monitoring and Detecting LLMNR/NBT-NS Spoofing

SIEM Query (Splunk Example):

index=windows EventCode=4657 OR EventCode=4768 | stats count by src_ip, dest_ip

Step-by-Step Guide:

1. Enable Windows Auditing:

auditpol /set /category:"Account Logon" /success:enable /failure:enable

2. Monitor Event Logs: Look for Event ID 4657 (SMB Auth Failures) or 4768 (Kerberos TGT Requests).

What Undercode Say:

  • Key Takeaway 1: LLMNR/NBT-NS poisoning remains a critical attack vector in internal networks due to default Windows settings.
  • Key Takeaway 2: Cracking NTLMv2 hashes with Hashcat can lead to full domain compromise if weak passwords are used.

Analysis:

Despite being a known attack for years, many organizations still leave LLMNR/NBT-NS enabled, making lateral movement easy for attackers. Defenders must enforce SMB signing, disable unnecessary protocols, and monitor for suspicious authentication attempts.

Prediction:

As AI-powered password cracking improves, attackers will leverage tools like Hashcat with GPU clusters to crack hashes faster. Organizations must adopt multi-factor authentication (MFA) and Windows Hello for Business to mitigate credential theft risks.

By following these steps, security professionals can both exploit and defend against LLMNR/NBT-NS attacks, strengthening their penetration testing and defensive strategies.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Jasmine Baptiste – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky