Get all NetNTLM Hashes via Different zero-click Methodologies from LLMNR Poisoning
After find the shared folders with "write" permissions on the network, the zero-click LLMNR Poisoning file/files are copied to the relevant share folders. In this way, NTLM hashes of all users who open the relevant shared folders can be captured.
There is a TR blog post for this Zero-Click LLMNR Poisoning
methodology.
Download NTLM-Dementor-LNK.ps1 file and change the AttackerIP. Then execute the powershell script.
.\NTLM-Dementor-LNK.ps1
Download NTLM-Dementor-searchConnector-ms.txt file and change file extension to .NTLM-Dementor.searchConnector-ms
rename NTLM-Dementor-searchConnector-ms.txt .NTLM-Dementor.searchConnector-ms
Download NTLM-Dementor-library-ms.txt file and change file extension to .NTLM-Dementor.library-ms
rename NTLM-Dementor-library-ms.txt .NTLM-Dementor.library-ms
Download NTLM-Dementor-URL.txt file and change file extension to .NTLM-Dementor.url
rename NTLM-Dementor-URL.txt .NTLM-Dementor.url
Download NTLM-Dementor-SCF.txt file and change file extension to .NTLM-Dementor.scf
rename NTLM-Dementor-SCF.txt .NTLM-Dementor.scf
- Disable LLMNR & NBT-NS
- Enforce SMB Signing
- Restrict File Share Permissions
- Set DisableThumbnailsOnNetworkFolders and DisableThumbnails via GPO