Basics: LLMNR Poisoning
by Noob
on May 18, 2020

As the basics of the Active Directory are covered, if not, request you to go visit and look for the concepts in Basic before Active Directory Hacking…

Okay now let’s have a look at some attacking stuff.

What is LLMNR?

LLMNR Stands for Link-Local Multicast Name Resolution. Hmm another name resolution…

Questions might be popping inside your head like … Is it different from Domain Name Service aka DNS? what more name resolutions are there… etc. Don’t worry ill answer these questions later in this post.

Before going into any of those questions let’s dive into LLMNR first.

LLMNR is just a name resolution just like any other name resolution technique. When a user wants to access some address like in-browser, we enter the name of the site, some server responds with the IP address of the same for you to access. In the computer world, there are no English words, all they understand is binary (01001000 01100101 01101100 01101100 01101111 00100000 01010111 01101111 01110010 01101100 01100100 00100001). Hence the IP address (Numbers/Binaries) is just like the address where you want to visit. In the case of LLMNR, name resolution is done by the locally linked computers, in which your system asks neighboring platforms to resolve some name into IP.

In the case of DNS, there is a centralized dedicated server that resolves the IP address to name (Domain Name) or visa versa. You can check your domain name server information. Follow steps

For Windows:

  1. Open CMD
  2. Type the following command: “$ netsh interface ip show config”
  3. You can see the settings “DNS Servers Configured *”

For Linux:

  1. Open Terminal
  2. Type: $ cat /etc/resolv.conf
  3. You can see the name server settings

Both DNS and LLMNR are different… Then how does the system knows which to run when?

LLMNR is a failover of DNS. When your system isn’t able to find the resolution of a name via the DNS server, it failover to LLMNR and asks nearby systems.

The worst part of this protocol is that when a nearby system responds with “I know this name” then your system sends your credentials (username and NTLMv2 Hash (Password Hash)) to that system. I guess you are getting what are we going to do in the poisoning part.

We are going to set up our server which listens for such requests and responds with true if any such requests come to us. I guess then the information received by us is the Username and Password HASH. What can we do with this stuff? We can pass these credentials around the network to see if anyone responds with revealing different shares we can access, different domain accounts we can access, we can try to crack the NTML hash, etc.

How to setup up will be explained in “Execution: LLMNR Poisoning

Categories:

Active Directory

Tags:

BasicsHackingLLMNR Poisoning

No Responses

Leave a Reply

Your email address will not be published. Required fields are marked *