NBT-NS/LLMNR/MDNS
NetBIOS Name Service (NBT-NS), Link-Local Multicast Name Resolution (LLMNR), and multicast Domain Name System (mDNS) are all multicast name resolution protocols enabled by default within Active Directory.
Active Directory will fall back to these protocols when standard DNS fails. When this happens, Windows systems attempt to resolve names in the following order: mDNS, LLMNR, NBT-NS.
The problem with using these protocols is that they're multicast protocols, which means that they broadcast a query for name resolution, allowing anybody to respond to these queries.
For example, suppose we have Host A, Host B, and Bob:
Host A wants to contact Host B but doesn't know where Host B lives, so Host A screams out 'Where is Host B?".
Bob wants to do bad things, so Bob responds to Host A, claiming that Bob is Host B.
Bob then sends queries to find Host B's real IP so Bob knows where to forward Host A's requests to.
Bob can then request authentication from Host A on behalf of Host B, and the authentication traffic will be sent to Bob from Host A.
You can see that this puts Bob as the Adversary-in-The-Middle, allowing Bob to intercept traffic that may interest Bob, such as authentication traffic that holds password hashes!
Once you have access to this authentication traffic, you have two options: crack the password hash or use it in an SMB relaying attack.
Exploit
responder -I eth0 [options]
OPTIONS
-w Start A WPAD Rogue Proxy Server
-d Inject A WPAD Server In The DHCP Response
-b Return A Basic HTTP Authentication (Allows Plaintext)
-F Force NTLM/Basic Authentication When Retrieving wpad.dat
--lm Force LM Hashing Downgrade For Older Machines
--disable-ess Force ESS Downgrade
--analyze Run Responder In Analyze ModeLast updated