LLMNR Spoofer - Metasploit


This page contains detailed information about how to use the auxiliary/spoof/llmnr/llmnr_response metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: LLMNR Spoofer
Module: auxiliary/spoof/llmnr/llmnr_response
Source code: modules/auxiliary/spoof/llmnr/llmnr_response.rb
Disclosure date: -
Last modification time: 2020-05-12 22:15:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -

LLMNR (Link-local Multicast Name Resolution) is the successor of NetBIOS (Windows Vista and up) and is used to resolve the names of neighboring computers. This module forges LLMNR responses by listening for LLMNR requests sent to the LLMNR multicast address (224.0.0.252) and responding with a user-defined spoofed IP address.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/spoof/llmnr/llmnr_response
msf auxiliary(llmnr_response) > show targets
    ... a list of targets ...
msf auxiliary(llmnr_response) > set TARGET target-id
msf auxiliary(llmnr_response) > show options
    ... show and set options ...
msf auxiliary(llmnr_response) > exploit

Go back to menu.

Msfconsole Usage

Here is how the spoof/llmnr/llmnr_response auxiliary module looks in the msfconsole:

msf6 > use auxiliary/spoof/llmnr/llmnr_response

msf6 auxiliary(spoof/llmnr/llmnr_response) > show info

       Name: LLMNR Spoofer
     Module: auxiliary/spoof/llmnr/llmnr_response
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Robin Francois <[email protected]>

Available actions:
  Name     Description
  ----     -----------
  Service  Run LLMNR spoofing service

Check supported:
  No

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  INTERFACE                   no        The name of the interface
  REGEX      .*               yes       Regex applied to the LLMNR Name to determine if spoofed reply is sent
  SPOOFIP                     yes       IP address with which to poison responses
  TIMEOUT    500              yes       The number of seconds to wait for new data
  TTL        30               no        Time To Live for the spoofed response

Description:
  LLMNR (Link-local Multicast Name Resolution) is the successor of 
  NetBIOS (Windows Vista and up) and is used to resolve the names of 
  neighboring computers. This module forges LLMNR responses by 
  listening for LLMNR requests sent to the LLMNR multicast address 
  (224.0.0.252) and responding with a user-defined spoofed IP address.

References:
  http://www.ietf.org/rfc/rfc4795.txt

Module Options

This is a complete list of options available in the spoof/llmnr/llmnr_response auxiliary module:

msf6 auxiliary(spoof/llmnr/llmnr_response) > show options

Module options (auxiliary/spoof/llmnr/llmnr_response):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   REGEX      .*               yes       Regex applied to the LLMNR Name to determine if spoofed reply is sent
   SPOOFIP                     yes       IP address with which to poison responses
   TIMEOUT    500              yes       The number of seconds to wait for new data
   TTL        30               no        Time To Live for the spoofed response

Auxiliary action:

   Name     Description
   ----     -----------
   Service  Run LLMNR spoofing service

Advanced Options

Here is a complete list of advanced options supported by the spoof/llmnr/llmnr_response auxiliary module:

msf6 auxiliary(spoof/llmnr/llmnr_response) > show advanced

Module advanced options (auxiliary/spoof/llmnr/llmnr_response):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GATEWAY_PROBE_HOST  8.8.8.8          yes       Send a TTL=1 random UDP datagram to this host to discover the default gateway's MAC
   GATEWAY_PROBE_PORT                   no        The port on GATEWAY_PROBE_HOST to send a random UDP probe to (random if 0 or unset)
   SECRET              1297303073       yes       A 32-bit cookie for probe requests.
   VERBOSE             false            no        Enable detailed status messages
   WORKSPACE                            no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the spoof/llmnr/llmnr_response module can do:

msf6 auxiliary(spoof/llmnr/llmnr_response) > show actions

Auxiliary actions:

   Name     Description
   ----     -----------
   Service  Run LLMNR spoofing service

Evasion Options

Here is the full list of possible evasion options supported by the spoof/llmnr/llmnr_response auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(spoof/llmnr/llmnr_response) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

<VALUE> llmnr - <NAME> did not match REGEX "<REGEX>"

Here is a relevant code snippet related to the "<VALUE> llmnr - <NAME> did not match REGEX "<REGEX>"" error message:

68:	    dns_pkt.header.qr = 1
69:	
70:	    dns_pkt.question.each do |question|
71:	      name = question.qName
72:	      unless name =~ /#{datastore['REGEX']}/i
73:	        vprint_status("#{rhost.to_s.ljust 16} llmnr - #{name} did not match REGEX \"#{datastore['REGEX']}\"")
74:	        next
75:	      end
76:	
77:	      if should_print_reply?(name)
78:	        print_good("#{rhost.to_s.ljust 16} llmnr - #{name} matches regex, responding with #{datastore['SPOOFIP']}")

<VALUE> llmnr - Unknown RR type (<QUESTION.QTYPE.TO_I>), this shouldn't happen. Skipping

Here is a relevant code snippet related to the "<VALUE> llmnr - Unknown RR type (<QUESTION.QTYPE.TO_I>), this shouldn't happen. Skipping" error message:

115:	        )
116:	      when ::Net::DNS::PTR
117:	        # Sometimes PTR queries are received. We will silently ignore them.
118:	        next
119:	      else
120:	        print_warning("#{rhost.to_s.ljust 16} llmnr - Unknown RR type (#{question.qType.to_i}), this shouldn't happen. Skipping")
121:	        next
122:	      end
123:	    end
124:	
125:	    # If we didn't find anything we want to spoof, don't send any

IP version is not 4 or 6. Failed to parse?

Here is a relevant code snippet related to the "IP version is not 4 or 6. Failed to parse?" error message:

146:	        :ip_proto => 0x11, # UDP
147:	        :body => udp
148:	      )
149:	    else
150:	      # Should never get here
151:	      print_error("IP version is not 4 or 6. Failed to parse?")
152:	      return
153:	    end
154:	    ip_pkt.recalc
155:	
156:	    capture_sendto(ip_pkt, rhost.to_s, true)

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • Robin Francois <rof[at]navixia.com>

Version

This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.