Shulou(Shulou.com)05/31 Report--

This article is about how to use LLMNR combined with PDF files to get PC Hashes. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

What is LLMNR?

LLMNR (Link-Local Multicast Name Resolution, Link Local Multicast name Resolution) protocol is based on DNS packet format. It resolves the host name to the IP address of IPv4 and IPv6. This allows users to access specific hosts and services directly using hostnames without having to remember the corresponding IP addresses. This protocol is widely used in Windows Vista/7/8/10 operating system.

The working mechanism of the agreement is very simple. For example, computer An and computer B are in the same local area network. When computer A requests host B, it first sends a UDP packet containing the requested hostname in broadcast form. After receiving the UDP packet, host B sends the response packet of UDP to host An in unicast form. Because the whole process is carried out in the UDP way, host A can not confirm whether the response host B is the host corresponding to the host name, which leads to the possibility of spoofing.

Introduction to the use of LLMNR

In response to this vulnerability, Kali Linux provides Responder tools. This tool can not only sniff all the LLMNR packets in the network and get the information of each host, but also initiate cheating to trick the requesting host into visiting the wrong host. In order to facilitate penetration, the tool can also forge HTTP/s, SMB, SQL Server, FTP, IMAP, POP3 and other services, so as to obtain service authentication information, such as user name and password, by phishing.

Combine PDF to get PC Hashes

Using bad-pdf tools to generate pdf payload, there is no PDF version limit. Download address of the tool:

Https://github.com/deepzec/Bad-Pdf (the use of the tool contains detailed instructions)

The use of local debugging is as follows:

Two mistakes have been reported, as shown in the figure:

The above two mistakes are connected (it took me a long time to find the answer). Let's talk about the idea of troubleshooting. Take a look at the source code. The first thing to call is responder ='/ usr/bin/responder'.

But the responder service certainly exists, but the path does not exist, as shown in the figure:

What comes to mind here is that the responder execution path is not correct? With questions, come up with a solution. Try to build your own directory and see if it can run as shown in the figure:

The path problem is solved, but it shows: Permission denied (permission denied), then add the highest permission to this directory, and the result is as shown in the figure:

Instead of calling responder, I think of running responder alone, as shown in the figure:

Run the generated pdf payload, and finally attack the Hashes using responder and PDF files, as shown in the figure:

In the end, the path is actually changed to: / usr/sbin/responder, those are detours before, a meal of Baidu is as fierce as a tiger, and the actual calling path lacks a letter.

Thank you for reading! On "how to use LLMNR combined with PDF files to get PC Hashes" this article is shared here, I hope the above content can be of some help to you, so that you can learn more knowledge, if you think the article is good, you can share it out for more people to see it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.