Active Directory Exploitation - LLMNR/NBT-NS Poisoning

The Cyber Mentor · Beginner ·🔐 Cybersecurity ·7y ago

Key Takeaways

The video demonstrates LLMNR/NBT-NS poisoning, a common attack in internal penetration testing, and discusses defensive measures, including disabling LLMNR/MBT-NS and requiring strong user passwords, using tools like Responder and Hashcat.

Full Transcript

what's up everybody so Jay I'm going to be doing a lesson on LM an r /m b TNS poisoning it's one of the most common attacks that you see today in terms of internal penetration testing and it's one of the most common attacks that I perform actually the first thing I perform when I'm doing internal penetration test so I'm going to share with you the tactics techniques and even the defensive measures that we can take in order to exploit and prevent this attack so let's go ahead and get started okay so let's first talk about what is LM an r /m b TNS poisoning well L M&R is link-local multicast name resolution and its predecessor is mb TNS which is NetBIOS name service they're both used to identify a host when DNS fails to do so now the way that they identify a host and connect to clients is using a ntlm or ntlm v2 hash which can easily be exploited to better explain this I want to show you an image instead okay so let's take a look at this example here we've got a victim trying to connect to a shared drive on a server however the victim is typed in the share wrong so they're trying to connect to a share called Hackney but instead type in hack M because the share does not exist the server is going to respond and say I have no idea what you're talking about so this seems like a DNS failure because we're having this DNS failure the victim machine is going to send out a broadcast message to everybody on the network and it's gonna say hey does anybody know how to connect to hack M and a malicious hacker can sit in the middle and say you know what I sure do know how to connect to that why don't you just send me over your hash or your credentials and I'll connect to it for you and the victim is gonna say okay here you go here's my hash now the dangerous part of this hash is this hash can be taken offline and cracked what you're gonna see here an example or it can actually be relayed without ever being cracked and used to gain access to machines as well today we're going to be looking at what it's like to capture - and then crack it offline so let's go ahead and take a look at a real-life example and get a better understanding of what this might look like okay so now let's set the example I am an attacker or penetration tester sitting on an internal network as a penetration tester responder is a tool that I run first before I run Nessus and map or any type of scanning software I like to get my listeners set up and running now responder is a tool by in packet that comes built-in to Kali Linux and allows us to do LM in r / mb TNS poisoning so to fire that up we say python responder PI - I eat 0 for your Ethernet interface and then - rtw you can leave off the V I'm leaving it on for demonstration purposes and verbosity purposes so we're gonna go ahead and fire this off and the reason we do this before we get any scans running is it starts listening for events our scanning software might actually trigger some events and trigger those broadcast messages and help us capture hashes so it's best to run responder first thing in the morning or when people are coming back from lunch and logging into their computers as it starts to generate and trigger these events it's typically more quiet during the day and during down hours now to set up the situation more I have built out an active directory lab we've got an active directory server and we've got a Windows 10 victim machine here now as we showed in the demonstration we have a hackney folder that is connected to a Hydra domain controller here on the Marvel Network we've got a user here Frank Castle that is going to attempt to connect to the wrong share that is not known by the server for simplicity purposes I'm gonna actually just point this directly at my attacker machine hit enter here now the server is not going to know where this is going so it's going to send out that broadcast message and say hey who knows where this is at and hopefully our machine picked it up and said hey I know where it is send me your hash and exactly what happened here so you see we pick up an ntlm v2 hash we've got it twice here and we've got it for the user F Castle Frank Castle here we've got the domain as Marvel and then we've got the ntlm b2 hash now depending on this user's password it may be a easy crack and it may lead to some quick win this is why we fire up responder and do poisoning right in the beginning to try to capture these hashes or even relay these hashes if we can't crack them and try to get some easy win so now let's cut over to a hatch cat and look at what this might look like okay so now we're gonna do is use a tool called hash cat we're gonna specify a mode or module of 5600 all that does is tie into ntlm v2 if you're curious about the modes and their numbers their corresponding numbers all you have to do is type in - - help to see a full list of hashes that hash cat can crack so I have put the hash that you saw come through into hashes txt and I am running it against the list of RockYou text so now all we have to do is fire this off and it'll take a second to initialize the device kernels in memory and if you have a decent graphics card at all it should crack it relatively quick if you have a easy password now you saw it come through it took not that long at all and now we found that we have a password of password once so good ol Frank Castle is not using a secure password by any means and allowed us to crack it and now we could take this password try to log in all over the place and see what kind of access it really could get us ok and on to defenses so the best defense in this case is to disable Ln R and MBT NS I provided instructions in the block on the left if you would like to do that now if you cannot do that in your environment the best course of action then is to one require network access control if an attacker cannot get on your network then they cannot perform this attack now let's note network access control can be bypassed and an attacker that is motivated will bypass network access control the more important action here in a layered defense is to require strong user passwords the longer the password the harder is to crack I say here greater than 12 characters in length for you you admins however the longer the better if it's a 16 character password it's likely that I'm not cracking it I have cracked 12 character passwords before the longer and more complex the password the harder it is for an attacker to crack the hash now this does not prevent SMB relay that is not an attack we have talked about here but SMB or ntlm relay when we take this hash do not have to crack it and just pass it on to another machine this doesn't prevent it that's when we move into tools like SMB signing but we'll cover that in a later video so if you enjoyed this video I thank you thank you so much for watching please do hit that like button that subscribe button and please share with a friend until next time I am the cyber mentor and I thank you for joining me [Music] you

Original Description

0:00 - Introduction 0:33 - What is LLMNR/NBT-NS poisoning? 2:26 - Live attack demonstration w/ Responder 5:12 - Cracking NTLMv2 hashes w/ Hashcat 6:28 - Defenses ❓Info❓ ___________________________________________ Need a Pentest?: https://tcm-sec.com Learn to Hack: https://academy.tcm-sec.com 🔹The Cyber Mentor Merch🔹 ___________________________________________ https://teespring.com/stores/the-cyber-mentor 📱Social Media📱 ___________________________________________ Website: https://thecybermentor.com Twitter: https://twitter.com/thecybermentor Twitch: https://www.twitch.tv/thecybermentor Discord: https://tcm-sec.com/discord LinkedIn: https://www.linkedin.com/in/heathadams 💸Donate💸 ___________________________________________ Like the channel? Please consider supporting me on Patreon: https://www.patreon.com/thecybermentor Support the stream (one-time): https://streamlabs.com/thecybermentor Hacker Books: Penetration Testing: A Hands-On Introduction to Hacking: https://amzn.to/31GN7iX The Hacker Playbook 3: https://amzn.to/34XkIY2 Hacking: The Art of Exploitation: https://amzn.to/2VchDyL The Web Application Hacker's Handbook: https://amzn.to/30Fj21S Real-World Bug Hunting: A Field Guide to Web Hacking: https://amzn.to/2V9srOe Social Engineering: The Science of Human Hacking: https://amzn.to/31HAmVx Linux Basics for Hackers: https://amzn.to/34WvcXP Python Crash Course, 2nd Edition: https://amzn.to/30gINu0 Violent Python: https://amzn.to/2QoGoJn Black Hat Python: https://amzn.to/2V9GpQk My Build: lg 32gk850g-b 32" Gaming Monitor:https://amzn.to/30C0qzV darkFlash Phantom Black ATX Mid-Tower Case: https://amzn.to/30d1UW1 EVGA 2080TI: https://amzn.to/30d2lj7 MSI Z390 MotherBoard: https://amzn.to/30eu5TL Intel 9700K: https://amzn.to/2M7hM2p G.SKILL 32GB DDR4 RAM: https://amzn.to/2M638Zb Razer Nommo Chroma Speakers: https://amzn.to/30bWjiK Razer BlackWidow Chroma Keyboard: https://amzn.to/2V7A0or CORSAIR Pro RBG Gaming Mouse: https://amzn.to/30hvg4P Sennheiser RS 17
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from The Cyber Mentor · The Cyber Mentor · 38 of 60

1 Buffer Overflows Made Easy - Part 1: Introduction
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
2 Buffer Overflows Made Easy - Part 2: Spiking
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
3 Buffer Overflows Made Easy - Part 3: Fuzzing
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
4 Buffer Overflows Made Easy - Part 4: Finding the Offset
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
5 Buffer Overflows Made Easy - Part 5: Overwriting the EIP
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
6 Buffer Overflows Made Easy - Part 6: Finding Bad Characters
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
7 Buffer Overflows Made Easy - Part 7: Finding the Right Module
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
8 Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
9 HackTheBox - Sunday Walkthrough (Re-Up)
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
10 Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
11 Networking for Ethical Hackers - Network Subnetting (Re-Up)
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
12 Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
13 Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
14 HackTheBox - Fighter Walkthrough (Re-Up)
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
15 Beginner Linux for Ethical Hackers - Navigating the File System
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
16 Beginner Linux for Ethical Hackers - Users and Privileges
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
17 Beginner Linux for Ethical Hackers - Common Network Commands
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
18 Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
19 Beginner Linux for Ethical Hackers - Controlling Kali Services
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
20 Beginner Linux for Ethical Hackers - Scripting with Bash
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
21 Beginner Linux for Ethical Hackers - Installing and Updating Tools
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
22 Cracking Linux Password Hashes with Hashcat
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
23 Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
24 Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
25 Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
26 Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
27 New Zero to Hero Pentest Course, New Website, and 2K Subs?!
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
28 Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
29 Zero to Hero Pentesting: Episode 2 - Python 101
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
30 Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
31 Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
32 Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
33 Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
34 Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
35 Installing Windows Server 2016 on VMWare in 5 Minutes
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
36 Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
37 A Day in the Life of an Ethical Hacker / Penetration Tester
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
39 Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
40 Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
41 Writing a Pentest Report
Writing a Pentest Report
The Cyber Mentor
42 Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
43 The Complete Linux for Ethical Hackers Course for 2019
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
44 Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
45 Popping a Shell with SMB Relay and Empire
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
46 Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
47 Pentesting for n00bs: Episode 2 - Lame
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
48 Pentesting for n00bs: Episode 3 - Blue
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
49 Web App Testing: Episode 1 - Enumeration
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
50 Pentesting for n00bs: Episode 4 - Devel
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
51 Pentesting for n00bs: Episode 5 - Jerry
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
52 Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
53 Pentesting for n00bs: Episode 6 - Nibbles
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
54 Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
55 How NOT to Approach a Cybersecurity Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
56 Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
57 Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
58 Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
59 Pentesting for n00bs: Episode 9 - Grandpa
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
60 Top 5 Internal Pentesting Methods
Top 5 Internal Pentesting Methods
The Cyber Mentor

The video teaches how to exploit LLMNR/NBT-NS poisoning using Responder and Hashcat, and discusses defensive measures to prevent such attacks, including disabling LLMNR/MBT-NS and requiring strong user passwords.

Key Takeaways
  1. Set up Responder to listen for LLMNR/NBT-NS requests
  2. Use Responder to capture NTLMv2 hashes
  3. Crack captured hashes using Hashcat
  4. Disable LLMNR/MBT-NS to prevent poisoning
  5. Implement strong user passwords to prevent cracking
💡 Disabling LLMNR/MBT-NS and requiring strong user passwords are effective defensive measures against LLMNR/NBT-NS poisoning attacks.

Related Reads

📰
Millions of Embedded Devices at Risk: Critical FatFs Vulnerabilities Demand Immediate Attention
Critical vulnerabilities in FatFs pose a significant risk to millions of embedded devices, requiring immediate attention and action to prevent potential attacks
Medium · Cybersecurity
📰
Membedah Serangan Phishing: Cara Kerja SEToolkit & Zphisher (dan Cara Melindungi Diri dari…
Learn how SEToolkit and Zphisher work in phishing attacks and how to protect yourself from them
Medium · Cybersecurity
📰
Drone’ların Beyni Nasıl Çalışır: FreeRTOS ve ARM Cortex-M Mimarisi Üzerine Bir Güvenlik…
Learn how drones' brains work with FreeRTOS and ARM Cortex-M architecture for better security testing
Medium · Cybersecurity
📰
Sensitive Information Disclosure: What It Is and the Top 10 Tools to Find It in 2026
Learn about Sensitive Information Disclosure, a common web vulnerability, and discover the top 10 tools to find it in 2026
Medium · Cybersecurity

Chapters (5)

Introduction
0:33 What is LLMNR/NBT-NS poisoning?
2:26 Live attack demonstration w/ Responder
5:12 Cracking NTLMv2 hashes w/ Hashcat
6:28 Defenses
Up next
DPDPA India for CISOs – A pragmatic approach to essentials vs. hearsay
AKITRA
Watch →