LLMNR/NBT-NS Poisoning

타겟 서버에 SMB Signing이 활성화되어 있다면, 해시를 탈취하더라도 Relay 공격을 통해 즉시 로그인하는 것을 불가능. 이 경우 해시를 크랙해야 한다.

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification that can be used when DNS fails.
If a machine attempts to resolve a host but DNS resolution fails, typically, the machine will try to ask all other machines on the local network for the correct host address via LLMNR.
LLMNR is based upon the DNS format and allows hosts on the same local link to perform name resolution for other hosts. It uses port 5355 over UDP natively.
If LLMNR fails, the NBT-NS will be used. NBT-NS identifies systems on a local network by their NetBIOS name. NBT-NS utilizes port 137 over UDP.

A host attempts to connect to the print server at \\\\print01.inlanefreight.local but accidentally types in \\\\printer01.inlanefreight.local .
The DNS server responds, stating that this host is unknown.
The host then broadcasts out to the entire local network asking if anyone knows the location of \\\\printer01.inlanefreight.local.
The attacker (me with Responder running) responds to the host stating that it is the \\\\printer01.inlanefreight.local that the host is looking for.
The host believes this reply and sends an authentication request to the attacker with a username and NTLMv2 password hash.
This hash can then be cracked offline or used in an SMB Relay attack if the right conditions exist.