Vindicate An LLMNR/NBNS/mDNS Spoofing Detection Toolkit.

Vindicate An LLMNR/NBNS/mDNS Spoofing Detection Toolkit.

What is Vindicate?
Vindicate is a tool which detects name service spoofing, often used by IT network attackers to steal credentials (e.g. Windows Active Directory passwords) from users. It’s designed to detect the use of hacking tools such as Responder, Inveigh, NBNSpoof, and Metasploit’s LLMNR, NBNS, and mDNS spoofers, whilst avoiding false positives. This can allow a Blue Team to quickly detect and isolate attackers on their network. It takes advantage of the Windows event log to quickly integrate with an Active Directory network, or its output can be piped to a log for other systems.

There’s a diagram explaining spoofing attacks and how Vindicate works on the wiki.

Requires .NET Framework 4.5.2
What is LLMNR/NBNS/mDNS spoofing and why do I need to detect it?
+ What is LLMNR & WPAD and How to Abuse Them During Pentest ?
+ Aptive Consulting: LLMNR / NBT-NS Spoofing Attack Network Penetration Testing
+ GracefulSecurity: Stealing Accounts: LLMNR and NBT-NS Spoofing

Attackers might be stealing all sorts of credentials on your network (everything from Active Directory credentials to personal email accounts to database passwords) from right under your nose and you may be completely unaware it’s happening.

vindicate v1.0.0spo

– *By default, Vindicate uses lookup names that shouldn’t exist in any network but look semi-realistic to an attacker who might be watching, to avoid false positives where you have real services that might rely on these name lookups. If systems with those names really do exist on your network, Vindicate will give false positives.
– Due to the above, Vindicate works best with custom flags that are tuned to your environment. Use -h to get help.
– As Vindicate uses a partial custom name service implementation written in .NET, it works even if multicast resolution is disabled on the client.
– Vindicate currently mostly relies on getting a WPAD response, with the SMB detection being very basic (it just checks if an SMB port is in use). If Vindicate is adopted and used I’ll write an SMB client to properly verify SMB servers and increase Vindicate’s confidence in its detection.
– Vindicate can detect mDNS spoofing (often associated with Mac OS), but this detection won’t work on Windows if multicast resolution is enabled as a required port is in use by the operating system. Consider disabling it for security reasons anyway (and reset the DNS Service to apply the changes).
– Vindicate does not require administrative permissions to run and is sad if you run it with high privileges.
– Vindicate can send false credentials to an attacker to frustrate their movements. Check out the -u, -p, and -d flags.
– Vindicate has been written with cross-platform use in mind, but has not been tested for this purpose yet. If this is desired, let me know with an issue and your platform.

Use and Download: