Introduction

In this lab, we delve into a simulated network security incident involving poisoned credentials, where attackers exploit vulnerabilities in Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS)protocols. These protocols, while designed to aid name resolution in local networks, are inherently vulnerable due to their reliance on broadcast queries and lack of robust authentication. Cybercriminals often exploit these weaknesses to perform man-in-the-middle attacks, redirect traffic, and harvest sensitive information such as user credentials.

The scenario begins with a surge in suspicious network activity detected by the organization’s security team. Initial analysis indicates the use of poisoning attacks targeting LLMNR and NBT-NS to intercept and manipulate legitimate network traffic. Using the powerful network forensic tool Wireshark, we analyze captured network traffic to identify the rogue machine, uncover the scope of the attack, and track the compromised accounts and systems.

Throughout this walkthrough, we methodically investigate key aspects of the attack, including identifying poisoned queries, tracing the attacker’s IP address, and analyzing SMB authentication attempts. The goal is to provide a comprehensive understanding of how such attacks unfold, equip you with the skills to detect similar incidents in real-world scenarios, and emphasize the importance of securing vulnerable network protocols to protect critical resources and user credentials.


Unlock Your Full Learning Experience with BlueYard Labs

Sign up to track your progress, unlock exclusive labs, and showcase
your achievements—begin your journey now!
Join for Free