Ataques
Attacking a network using Responder
Analista de seguridad
Actualizado
31 mar 2020
7 min
Link Local Multicast Name Resolution
(LLMNR
) and NetBIOS Name Service
(NBT-NS
) are two name resolution protocols that help Windows
hosts to find address names from other devices on the network. These are Windows
components and are alternate methods of host identification. LLMNR
is based upon the Domain Name System
(DNS
), it uses a simple exchange of request and response messages to resolve computer names on IPV6
or IPV4
addresses.
NBT-NS
uses NetBIOS
to resolve IPV4
addresses by broadcasting a NetBIOS Name Query Request
message to the local subnet broadcast address using the port UDP 137
. The node that owns the queried name then sends back a unicast message to the requestor. If NBT-NS
is disabled then it will need to use DNS
queries to resolve names, and if the network does not have DNS
servers then the names should be in the Hosts
file of the machine.
LLMNR
messages use a similar format to DNS
messages but use UDP port 5355
. It works by sending a LLMNR Name Query Request
message to the multicast address, this multicast address is scoped to prevent a multicast enabler router from forwarding the request outside the requestor subnet. If a host on the subnet is authoritative for the request name it sends a unicast response to the requestor.
As both protocols use broadcast messages to resolve names on the network, an attacker can listen to them and then respond with a spoof of an authoritative source for name resolution as if he knew the requested name. Then with the service poisoned, the victim will continue the communication with the attacker, and if the network resource needs authentication, the victim will send a username and an NTLMv2
hash. Here the attacker can use tools like JohnTheRipper
to crack the credentials and have access to the system. This attack is called LLMNR/NBT-NS Poisoning and Relay
.
Responder lab
To set up our lab we are going to use Hashicorp's
Vagrant; the source files are below. Create a folder with the name requestor
and save the Vagrantfile
there. Also create another folder inside requestor
named provision
and save the file ad.ps1
there.
setting up the lab.
Vagrantfile.
provision/ad.ps1.
Then run the environment using:
vagrant up.
This will create a Windows
machine with Active Directory
installed and configured. At this point, everything we need has been completed and is ready for us to launch an attack.
Now we can set up our attacking machine. Here we are using Kali Linux with Vagrant
too, but you can use whatever OS
you prefer.
These are the tools that we are going to use:
If you are using Kali
, the only thing that needs to be cloned is Responder
.
cloning Responder.
We are ready to go.
Starting the poisoner
The only thing we need to do is to run Responder
as a root. We can do this with the following:
running Responder.
Responder.
Since we are on the same network, it is only a matter of time to get a request from a machine in the subnet. But because our Windows
machine is doing nothing, we will receive nothing.
Capturing credentials
Now let’s act like a normal user in our Windows
machine. Log in as svctest
with the domain sky.net
and password Monkey.123
, then open the start menu and there type run
. In there we are going to look for a name on the network, just type the following:
searching names.
There we will get an error accessing the share, but in our attacker machine we will get the following:
Responder output.

Responder result.
Here we have our hash, they are NTLMv2 hashes
, and there we can also view some information about the server like the OS version and the requested share. With this, we save that user’s hash on a file.
save hash.
And then we crack it using John
, a SecLists
dictionary, and KoreLogic
ruleset. Since NTLMv2
hashes are harder to crack, it could take a while, depending on your system.
John cracking.
John output.
And it’s cracked! Now we can check our access running smbmap
again with our new set of credentials.
samba high privileges.
admin smbmap.
As you can see, we now have administrative access to our server. You can access it by RDP
or retrieve files using SMB
. Also, you can dump the SAM
to get more users and hashes; these last ones are NTLMv1
and easily cracked.
This could be done using the reqtest
account or the vagrant
account. If an attacker does this in an enterprise network, he can capture any number of accounts of the network. Also, there are windows scripts like Inveigh, where we can do more or less the same attack with the same results.
Solution
The remediation for this attack is to disable both LLMNR
and NBT-NS
on all hosts because Windows
defaults to one when the other fails or is disabled. A host based security software that blocks LLMNR/NBT-NS
requests could also be used.
Another way to mitigate this is by having and using a strong credential policy. Passwords must be longer than 20 characters, contain upper and lower case letters, contain symbols and digits, and must not be easy to guess. This means you would be wise to adopt passphrases instead of simple passwords.
This is especially useful when you are dealing with service credentials because they are the ones most targeted. You can also set an alert to notify you when someone is logged in with your most critical and high-privileged users.
If you want more information about strong credentials, you can check our Criteria about them.
Get started with Fluid Attacks' PTaaS right now
Suscríbete a nuestro boletín
Mantente al día sobre nuestros próximos eventos y los últimos blog posts, advisories y otros recursos interesantes.
Otros posts