LLMNR and NetBIOS-NS Spoofing with Responder
Author: HollyGraceful Published: 19 October 2020 Last Updated: 03 July 2023
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS-Name Service (NBT-NS) are name resolution protocols that are enabled by default on Windows machines. They’re both used as a fallback for DNS. If a machine requests a hostname, such as when attempting to connect to a file-share, and the DNS server doesn’t have an answer – either because the DNS server is temporarily unavailable or the hostname was incorrectly typed – then an LLMNR request will be sent, followed by an NBT request. LLMNR is a multicast protocol and NBT-NS is a broadcast protocol.
Therefore, an attack can take place where an attacker responds to these requests with illegitimate requests. For example, directing the requesting user to connect to the attacker's machine where an authentication attempt will be made – disclosing hashed credentials for the targeted user.
Responder is very simply to use and includes a sensible default configuration meaning that it can be run by simply including the “-I” flag and setting the name of the network interface to run on:
Responder starting up on the interface called eth0
At this point, just wait! If a user mistypes a machine name, if the DNS server is temporarily unavailable, or if there's another similar DNS failure then users will begin to multicast their name requests and Responder will intercept them. If the credentials are sent in plaintext they will be displayed to the screen, or more likely, you'll receive hashed credentials for something like a file-share connection:
Hashed user credentials are captured.
At this point, these credentials could be cracked using a common tool like John the Ripper or Hashcat. If you need to crack them very quickly, then our post on Hashcracking with AWS could help!
Oh and don't forget to read how to Fix LLMNR and NetBIOS-NS Spoofing.