What is LLMNR?

• Link-Local Multicast Name Resolution
• Used to identify hosts when DNS fails to do so
• Previously NBT-NS
• LLMNR poisoning tricks the victim into connecting to a fake service. Windows then automatically sends the user’s username and NTLMv2 hash as part of authentication.
  • That’s the key flaw: The trust and automatic response with sensitive data.

Steps to Capture and Crack Hashes with Responder

1. Run Responder

   

   Start Responder on the target interface to capture authentication attempts:

   Choose between 'w' and 'P', newer version doesn't support both
   You can open two separate windows to run the two commands
   
   sudo responder -I tun0 -dPv
   sudo responder -I tun0 -dwv
   

   • I: Specifies the network interface (e.g., tun0).
   • d: Enables database storage.
   • w: Responds to LLMNR/NBT-NS requests.
   • P: Enables poisoning for authentication capture.
   • v: Verbose

   The best times to run this are early in the morning or after lunch—when users are turning on their computers and generating network traffic.

2. Wait for an Event

   Responder will listen for network authentication attempts, potentially capturing NTLMv2 hashes.

   

3. Retrieve Captured Hashes

   Once an event occurs, check the captured hashes in Responder’s log directory.

   

4. Crack the Hashes

   Use Hashcat to attempt cracking the NTLMv2 hashes with a wordlist like rockyou.txt:

   hashcat -m 5600 hashes.txt rockyou.txt
   

   

   • m 5600: Specifies NTLMv2 hash mode.
   • hashes.txt: The file containing captured hashes.
   • rockyou.txt: The wordlist that contains 14 million plaintext passwords from the 2009 RockYou hack, it’s used for brute-force attempts.
     • rockyou2021.txt: A 100GB file with 8.4 billion passwords
   • force: Ignore warnings
   • -O: Optimize kernel mode, for better performance (Don’t use it against Long password [>32 char] & PBKDF2-based hashes)
   • -r OneRule.rule: Apply the OneRule mutation (Capitalize letters, appending numbers, etc.) to the wordlist.

   <aside> 💡

   Hash cracking relies heavily on GPU processing power, making it significantly slower in virtual machines that rely solely on the CPU. The performance improves with more or higher-end GPUs.

   Additionally, ensure that the stored hash file contains no extra spaces or unintended characters that could interfere with the cracking process.

   </aside>

   Use the command to see the cracked password:

   hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt --show
   

   Below is the image of what will happen if you try to crack the same hash again and the output of --show:

   

Mitigation

• The best defense in this case is to disable LLMNR and NBT-NS

  • To disable LLMNR, select “Turn OFF Multicast Name Resolution” under Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client in the Group Policy Editor
  • To disable NBT-NS, navigate to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced tab > WINS tab and select “Disable NetBIOS over TCP/IP”

• If a company must use or cannot disable LLMNR/NBT-NS, the best course of action is to:

  • Require Network Access Control
  • Require strong user passwords (e.g. >14 characters in length and limit common word usage). The more complex and long the password, the harder it is for an attacker to crack the hash