Tag: LLMNR-Poisoning | Yw4rf

2025-02-17

Network Forensics of LLMNR/NBT-NS Poisoning Attacks

Detailed network forensics writeup investigating an LLMNR/NBT-NS poisoning incident using Wireshark. The analysis tracks the attack chain, identifying the initial mistyped network query (FILESHAARE), the attacker's rogue IP (192.168.232.215), the compromised user (janesmith) whose NTLM hash was intercepted via SMB, and the hostname of the accessed machine (AccountingPC), demonstrating the vulnerability of unauthenticated name resolution protocols.

CyberDefenders Network-Forensics SOC Wireshark LLMNR-Poisoning NBT-NS-Poisoning Man-in-the-Middle Credential-Theft SMB-Authentication NTLM
2025-01-26

Noxious - LLMNR Poisoning and NTLMv2 Hash Cracking

Network forensics writeup detailing the analysis of an LLMNR poisoning attack. The process covers identifying the rogue device via LLMNR and DHCP traffic, locating the victim's credential leak (NTLMv2 hash) within SMB Session Setup packets, extracting NTLM Challenge/Response components, and performing hash cracking with Hashcat to recover the plaintext password, providing full context on the credential theft incident.

HackTheBox Sherlocks Threat-Hunting SOC Wireshark LLMNR-Poisoning Responder NTLMv2 Hashcat Windows-Forensics