56 LLMNR and NBT NS Poisoning Attack with Example and LAB скачать в хорошем качестве

56 LLMNR and NBT NS Poisoning Attack with Example and LAB

LLMNR and NBT-NS Poisoning Attack Lab Description **Objective**: This lab aims to demonstrate Local Link Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) poisoning attacks. Participants will learn how attackers can exploit these protocols to capture sensitive information and authenticate users on a network. --- #### Prerequisites 1. **Environment**: A Windows-based network environment with at least two machines (one attacker and one target). Tools: **Responder**: A tool for LLMNR and NBT-NS poisoning. **Wireshark**: For packet analysis and monitoring. 2. **User Accounts**: Create user accounts on the target machine for demonstration. #### Lab Setup 1. **Install Responder**: Ensure that Responder is installed on the attacker's machine. This can typically be done by downloading the tool from its GitHub repository and following installation instructions. 2. **Configure the Target Machine**: Set up a Windows machine as the target. Ensure that it is part of a local network and that it can resolve names using LLMNR and NBT-NS. 3. **Network Configuration**: Ensure both machines are on the same subnet and can communicate with each other. --- Demonstration Steps 1. **Understanding LLMNR and NBT-NS**: **LLMNR**: A protocol used for name resolution in local networks when DNS fails. It allows hosts to resolve names to IP addresses without a DNS server. **NBT-NS**: A legacy protocol that provides name resolution services for NetBIOS names over TCP/IP. 2. **Starting Responder**: On the attacker's machine, run Responder to listen for LLMNR and NBT-NS requests: ```bash sudo responder -I ``` Replace ` with the network interface you want to use. 3. **Generating a Name Resolution Request**: On the target machine, attempt to access a resource that does not exist (e.g., using a command like `ping nonexistentname`). 4. **Capturing the Poisoned Request**: Observe the Responder terminal. It should display requests sent from the target machine, revealing usernames and password hashes as they are intercepted. 5. **Analyzing the Captured Data**: Use tools like *Wireshark* to capture the traffic and analyze the LLMNR or NBT-NS packets for further insight. 6. **Cracking Password Hashes**: If password hashes are captured, use tools like *Hashcat* or *John the Ripper* to attempt cracking the hashes and retrieving the plaintext passwords. ```bash hashcat -m 1000 hashes.txt wordlist.txt ``` --- Reporting Results Document: The requests captured by Responder. Any passwords or hashes obtained. Observations on the effectiveness of LLMNR and NBT-NS poisoning. Discuss the implications of such attacks on network security and user awareness. --- Mitigation Strategies 1. **Disable LLMNR and NBT-NS**: Modify network settings to disable LLMNR and NBT-NS on Windows machines. 2. **Use Strong Authentication**: Implement strong password policies and consider using multi-factor authentication (MFA). 3. **Network Segmentation**: Isolate sensitive devices and users on separate network segments to limit exposure. 4. **Monitoring and Logging**: Continuously monitor network traffic for unusual activities and keep logs for analysis. --- Conclusion The LLMNR and NBT-NS poisoning lab demonstrates the vulnerabilities associated with these protocols in Windows environments. Understanding how to conduct such attacks, along with their potential impacts, is crucial for implementing effective security measures and protecting sensitive information on the network. Participants will leave with practical knowledge of the techniques and strategies to defend against them.