February 16, 2024

Active Directory Pentesting - Initial Access - LLMNR poisoning using Responder

 Prerequisite - Kali, Windows AD setup 


LLMNR stands for Link-Local Multicast Name Resolution. It is a protocol used in modern Windows operating systems to resolve the NetBIOS names of neighboring computers on the same subnet when DNS name resolution fails. LLMNR operates similarly to the more commonly known protocol, DNS (Domain Name System), but it is designed specifically for local networks. 

While LLMNR can be helpful for local network discovery and resolving names when DNS is unavailable, it can also introduce security risks, such as potential man-in-the-middle attacks. As a result, network administrators often consider disabling LLMNR in secure network environments or implementing additional security measures to mitigate associated risks. 

Consider the following scenario: Imagine a scenario where a user attempts to access a shared drive, such as \test, on a network. Typically, the user's device sends a request to the local DNS server to resolve the address of the shared drive. However, if the shared drive doesn't exist or if there are connectivity issues, the DNS server responds with an error indicating that it cannot access the shared folder. 


In such cases, the user's device may resort to using LLMNR (Link-Local Multicast Name Resolution) to multicast the request across the network, hoping that another user might have knowledge of the correct route to the shared folder (\test). 


Here's where a potential security vulnerability arises: An attacker could exploit this situation by impersonating a legitimate client on the network. Upon receiving the multicast request from the victim, the attacker can respond deceitfully, claiming to know the identity of the shared folder and offering assistance to the victim in connecting to it. The catch here is that the attacker requests the victim's device to share its NTLM hash (a type of cryptographic representation of the user's password). 


Once the attacker obtains the NTLM hash from the victim, they can proceed to crack it offline using tools like hashcat, a powerful password cracker. This means that the attacker can potentially uncover the victim's password, gaining unauthorized access to their account or sensitive information. 


Let's explore a practical demonstration of a potential security loophole using a real-world example: 

Initial Connection Attempt: 

We start by trying to connect to the \test share on the victim machine.

- If the share doesn't exist, the output would confirm the absence of the resource.


Launching Responder: 

  • Now, let's initiate Responder on our Kali machine, ensuring that the LLMNR flag is activated. 

Second Connection Attempt: 

  • With Responder primed, we retry connecting to the \test share on the victim machine. This time, a login window should appear, indicating a potential breakthrough. 

Surprisingly, no credentials are required to proceed past this login prompt. 

Instead, we head straight to Responder on our Kali machine to examine the captured NTLM hash. 

Extracting Password: 

  • The captured NTLM hash can be saved into a separate file for further analysis. Utilizing tools like hashcat, we can extract the password associated with this hash. 


This example underscores the critical importance of robust network security measures. It emphasizes the need for organizations to ensure the reliability and integrity of shared resources, while also educating users about the risks associated with disclosing sensitive information over the network. Promoting the use of strong, unique passwords serves as a crucial defense mechanism against such security threats.