Active Directory Exploitation - LLMNR/NBT-NS Poisoning
Key Takeaways
The video demonstrates LLMNR/NBT-NS poisoning, a common attack in internal penetration testing, and discusses defensive measures, including disabling LLMNR/MBT-NS and requiring strong user passwords, using tools like Responder and Hashcat.
Full Transcript
what's up everybody so Jay I'm going to be doing a lesson on LM an r /m b TNS poisoning it's one of the most common attacks that you see today in terms of internal penetration testing and it's one of the most common attacks that I perform actually the first thing I perform when I'm doing internal penetration test so I'm going to share with you the tactics techniques and even the defensive measures that we can take in order to exploit and prevent this attack so let's go ahead and get started okay so let's first talk about what is LM an r /m b TNS poisoning well L M&R is link-local multicast name resolution and its predecessor is mb TNS which is NetBIOS name service they're both used to identify a host when DNS fails to do so now the way that they identify a host and connect to clients is using a ntlm or ntlm v2 hash which can easily be exploited to better explain this I want to show you an image instead okay so let's take a look at this example here we've got a victim trying to connect to a shared drive on a server however the victim is typed in the share wrong so they're trying to connect to a share called Hackney but instead type in hack M because the share does not exist the server is going to respond and say I have no idea what you're talking about so this seems like a DNS failure because we're having this DNS failure the victim machine is going to send out a broadcast message to everybody on the network and it's gonna say hey does anybody know how to connect to hack M and a malicious hacker can sit in the middle and say you know what I sure do know how to connect to that why don't you just send me over your hash or your credentials and I'll connect to it for you and the victim is gonna say okay here you go here's my hash now the dangerous part of this hash is this hash can be taken offline and cracked what you're gonna see here an example or it can actually be relayed without ever being cracked and used to gain access to machines as well today we're going to be looking at what it's like to capture - and then crack it offline so let's go ahead and take a look at a real-life example and get a better understanding of what this might look like okay so now let's set the example I am an attacker or penetration tester sitting on an internal network as a penetration tester responder is a tool that I run first before I run Nessus and map or any type of scanning software I like to get my listeners set up and running now responder is a tool by in packet that comes built-in to Kali Linux and allows us to do LM in r / mb TNS poisoning so to fire that up we say python responder PI - I eat 0 for your Ethernet interface and then - rtw you can leave off the V I'm leaving it on for demonstration purposes and verbosity purposes so we're gonna go ahead and fire this off and the reason we do this before we get any scans running is it starts listening for events our scanning software might actually trigger some events and trigger those broadcast messages and help us capture hashes so it's best to run responder first thing in the morning or when people are coming back from lunch and logging into their computers as it starts to generate and trigger these events it's typically more quiet during the day and during down hours now to set up the situation more I have built out an active directory lab we've got an active directory server and we've got a Windows 10 victim machine here now as we showed in the demonstration we have a hackney folder that is connected to a Hydra domain controller here on the Marvel Network we've got a user here Frank Castle that is going to attempt to connect to the wrong share that is not known by the server for simplicity purposes I'm gonna actually just point this directly at my attacker machine hit enter here now the server is not going to know where this is going so it's going to send out that broadcast message and say hey who knows where this is at and hopefully our machine picked it up and said hey I know where it is send me your hash and exactly what happened here so you see we pick up an ntlm v2 hash we've got it twice here and we've got it for the user F Castle Frank Castle here we've got the domain as Marvel and then we've got the ntlm b2 hash now depending on this user's password it may be a easy crack and it may lead to some quick win this is why we fire up responder and do poisoning right in the beginning to try to capture these hashes or even relay these hashes if we can't crack them and try to get some easy win so now let's cut over to a hatch cat and look at what this might look like okay so now we're gonna do is use a tool called hash cat we're gonna specify a mode or module of 5600 all that does is tie into ntlm v2 if you're curious about the modes and their numbers their corresponding numbers all you have to do is type in - - help to see a full list of hashes that hash cat can crack so I have put the hash that you saw come through into hashes txt and I am running it against the list of RockYou text so now all we have to do is fire this off and it'll take a second to initialize the device kernels in memory and if you have a decent graphics card at all it should crack it relatively quick if you have a easy password now you saw it come through it took not that long at all and now we found that we have a password of password once so good ol Frank Castle is not using a secure password by any means and allowed us to crack it and now we could take this password try to log in all over the place and see what kind of access it really could get us ok and on to defenses so the best defense in this case is to disable Ln R and MBT NS I provided instructions in the block on the left if you would like to do that now if you cannot do that in your environment the best course of action then is to one require network access control if an attacker cannot get on your network then they cannot perform this attack now let's note network access control can be bypassed and an attacker that is motivated will bypass network access control the more important action here in a layered defense is to require strong user passwords the longer the password the harder is to crack I say here greater than 12 characters in length for you you admins however the longer the better if it's a 16 character password it's likely that I'm not cracking it I have cracked 12 character passwords before the longer and more complex the password the harder it is for an attacker to crack the hash now this does not prevent SMB relay that is not an attack we have talked about here but SMB or ntlm relay when we take this hash do not have to crack it and just pass it on to another machine this doesn't prevent it that's when we move into tools like SMB signing but we'll cover that in a later video so if you enjoyed this video I thank you thank you so much for watching please do hit that like button that subscribe button and please share with a friend until next time I am the cyber mentor and I thank you for joining me [Music] you
Original Description
0:00 - Introduction
0:33 - What is LLMNR/NBT-NS poisoning?
2:26 - Live attack demonstration w/ Responder
5:12 - Cracking NTLMv2 hashes w/ Hashcat
6:28 - Defenses
❓Info❓
___________________________________________
Need a Pentest?: https://tcm-sec.com
Learn to Hack: https://academy.tcm-sec.com
🔹The Cyber Mentor Merch🔹
___________________________________________
https://teespring.com/stores/the-cyber-mentor
📱Social Media📱
___________________________________________
Website: https://thecybermentor.com
Twitter: https://twitter.com/thecybermentor
Twitch: https://www.twitch.tv/thecybermentor
Discord: https://tcm-sec.com/discord
LinkedIn: https://www.linkedin.com/in/heathadams
💸Donate💸
___________________________________________
Like the channel? Please consider supporting me on Patreon:
https://www.patreon.com/thecybermentor
Support the stream (one-time): https://streamlabs.com/thecybermentor
Hacker Books:
Penetration Testing: A Hands-On Introduction to Hacking: https://amzn.to/31GN7iX
The Hacker Playbook 3: https://amzn.to/34XkIY2
Hacking: The Art of Exploitation: https://amzn.to/2VchDyL
The Web Application Hacker's Handbook: https://amzn.to/30Fj21S
Real-World Bug Hunting: A Field Guide to Web Hacking: https://amzn.to/2V9srOe
Social Engineering: The Science of Human Hacking: https://amzn.to/31HAmVx
Linux Basics for Hackers: https://amzn.to/34WvcXP
Python Crash Course, 2nd Edition: https://amzn.to/30gINu0
Violent Python: https://amzn.to/2QoGoJn
Black Hat Python: https://amzn.to/2V9GpQk
My Build:
lg 32gk850g-b 32" Gaming Monitor:https://amzn.to/30C0qzV
darkFlash Phantom Black ATX Mid-Tower Case: https://amzn.to/30d1UW1
EVGA 2080TI: https://amzn.to/30d2lj7
MSI Z390 MotherBoard: https://amzn.to/30eu5TL
Intel 9700K: https://amzn.to/2M7hM2p
G.SKILL 32GB DDR4 RAM: https://amzn.to/2M638Zb
Razer Nommo Chroma Speakers: https://amzn.to/30bWjiK
Razer BlackWidow Chroma Keyboard: https://amzn.to/2V7A0or
CORSAIR Pro RBG Gaming Mouse: https://amzn.to/30hvg4P
Sennheiser RS 17
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from The Cyber Mentor · The Cyber Mentor · 38 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
▶
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
Writing a Pentest Report
The Cyber Mentor
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
Top 5 Internal Pentesting Methods
The Cyber Mentor
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
Ethical Hacking vs Cyber Security: Which Career is Better in 2026?
Medium · Cybersecurity
SOC Analyst Lab: LSASS Credential Dumping Detection & Response
Medium · Cybersecurity
Finding Exposed Services (and Fixing Them) with ScanSearch and Python
Dev.to · Billy
How Are Cyber criminals Tracked Across International Borders?
Medium · Cybersecurity
Chapters (5)
Introduction
0:33
What is LLMNR/NBT-NS poisoning?
2:26
Live attack demonstration w/ Responder
5:12
Cracking NTLMv2 hashes w/ Hashcat
6:28
Defenses
🎓
Tutor Explanation
DeepCamp AI