Throwback — Part 3 — LLMNR Poisoning

In this article I will show you how to retrieve the password of PetersJ by doing LLMNR Poisoning.

What is LLMNR Poisoning?

LLMNR is a protocol used for name resolution in a Windows network. If a computer does not receive a domain from a DNS server, it will try to get the IP to a hostname with LLMNR. It will ask via Multicast in the network. So LLMNR is just a fallback for DNS. LLMNR is also an old protocol.

In LLMNR poisoning an attacker uses this mechanism to trick a computer to connect to him and receive the user’s hash. The attacker will just listen for LLMNR requests in the network and will respond to everyone with his IP. After that the attacker waits until the victim connects to him. While connecting, the attacker will request the victim to authenticate. When the victim authenticates, the attacker will receive the user’s password.

Such an attack can be performed with a tool such as responder.

Performing the attack

On the attacker machine I have started responder with the following command:

sudo responder -I tun0 -dw -v

With this command responder will start the WPAD rogue proxy server and will also respond to DHCP broadcast requests. The -v option enables verbose mode. With -I tun0 it will start listening on tun0 interface. This interface is connected to the VPN server of the Throwback lab. After running the command the following output will be shown on the console:

After waiting for a while, the user PetersJ will connect and we will be able to receive the hash:

Cracking the NTLM hash

Next we can try to crack the received hash. I have saved the hash into a file called “hash.txt”. For cracking the hash, I have used hashcat. The wordlist I have used is “rockyou.txt” and the ruleset I have used is called “OneRuleToRuleThemAll.rule”. The ruleset can be found here. The hashcat command I have used is the following:

hashcat -m 5600 hash.txt rockyou.txt -r OneRuleToRuleThemAll.rule

The -m 5600 parameter specifies that the hash is a NetNTLMv2 hash.

After waiting for a bit, hashcat was able to crack the hash.

Getting the user flag

After cracking the hash, I could connect via RDP to the target machine and retrieve the user flag.

Command and Control

In order to manage compromised host, I have used Empire as the C2 Framework. For that I have created a listener and a windows/launcher_bat file. After executing the launcher on the victim, I have received a agent:

Enumeration

With C2 set in place, I was able to use more tools more convenient. I have performed enumeration with Seatbelt and identified that the credentials for admin-petersj are saved in credential manager.

Privilege Escalation

The credentials saved in Credential Manager could be used to escalate privileges to admin-petersj with the following runas command:

runas /savecred /user:admin-petersj /profile "cmd.exe"

The command spawned a new comand prompt as admin-petersj:

With this privileges it was possible to retrieve the admin and BlaireJ flag:

Enumeration #2

With the new gained Administrator privileges, I have run Mimikatz and could retrieve more passwords.

Remediation

If not needed, LLMNR should be disabled via a group policy. This can be done by navigating to Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client and enabling “Turn OFF Multicast Name Resolution”.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store