Detecting Responder via LLMNR Honey Tasks on User Workstations

3:52 "This is what alot of junior pentesters would do"
I felt that on a personal level ;-;

Love the cyber deception approach! It is missing in today's cyber industry

Thank you ippsec!

Great content my man, always love these videos that aren't just htb boxes. Keep it up!

Quote of the video "Memory of a gold fish".

Excellent!!!

Very nice

I like your style very much

Superb!!

I made a python script and docker image a couple of months back that does something very similar and can write out to a remote syslog server when it detects responder running. It's all open source if anyone is interested, there is a video demo on my youtube.

Was able to copy and paste the Curl command from the WebHooks example page without any syntax errors. Did this from Android Kali Nethunter. So many tid bits of learning! Will start encoding PowerShell commands. Using quotes without encoding is so problematic. Use GPOs to block LLMNR.

Awesome idea! Do you think you'd need to just place this task on different hosts for each VLAN you want to monitor? Some networks can get really segmented with many broadcast domains. LLMNR GPO will prevent the honeypot requests so you'd have to use a non domain joined computer for each vlan?
Also, What do you generally do about mdns requests. Netbios and llmnr are easy to disable domain wide but as far as I know, the only way to prevent mdns poisoning is to implement inbound host based firewall rules. Is there a specific approach you take when defending against mDNS poisoning?

nice..... I noticed how that the Responded already detected dc03 it probably because of the cached (that you entered previously?).

So going back to some of your prior retired CTF boxes on hackthebox. Trying to work through them at times python has to be used but since python3 is now the default, could you go through a video of how to convert a python 2 script to python3?

he is the definition of a cyber guru
i wish i found him earlier thx @ippsec for solid security approach

If Responder is for junior pentesters, what do senior pentesters use?

Hello, do you have a video about cracking hashes?

Hello ippsex, thanks alot fpr what u doin for the community.
Can you build active directory playlist??! From your old videos too, for sake of noob like mehaha.thanks

Resolve-DnsName -LlmnrOnly doesn't work if LLMNR is blocked via GPO (checked in Wireshark).
Great idea though, maybe through a scheduled task we could flip the registry key temporarily until the GPO reapplies the LLMNR block.

To bypass this detection, can the attacker first just sniff the network for such script running (pattern of every few minutes asking to resolve same hostname) and block that ip with ufw?

I would have to whitelist this task, as I have detections on tasks containing powershell with "nop, enc and b64 starting with JAB" ;)

\o/

Brother IppSec, it would be great if you could add a way to read each piece in text! It can help people like me who don't speak English very well to learn and understand. I wish you luck in life.

You are running Windows as Administrator there, right?
I mean, an unpriviledged explorer window doesn't just send the Administrator's hash out to the network - does it?! 😳

IppSec = "I have a memory of a gold fish"
ME = 🥲🙃