LLMNR and NBT-NS poisoning attack using Metasploit

In this video we will simulate a LLMNR and NBT-NS poisoning attack, we will collect user password hashes and then crack them. This type of attack is very common during internal penetration testing assessments for the following reasons: - it works well with any Windows OS version - it performs well in both wired and wireless internal networks - it has a good chance to succeed because LLMNR and NBT-NS (NetBIOS Name Service) queries are enabled by default on Windows hosts; their usage does not require any authentication and any system in the local network can respond to these queries - the risk of crashing network hosts or disrupting the network user activity is low The basis for this attack relies on the way a Windows OS host performs name resolution; usually the steps below are performed in order, until the name is resolved: 1. Hosts file on the local host is checked 2. The local DNS cache is checked 3. Name query is sent to DNS server 4. LLMNR query is sent via multicast 5.