Scenario

The IDS device alerted us to a possible rogue device in the internal Active Directory network. The Intrusion Detection System also indicated signs of LLMNR traffic, which is unusual. It is suspected that an LLMNR poisoning attack occurred. The LLMNR traffic was directed towards Forela-WKstn002, which has the IP address 172.17.79.136. A limited packet capture from the surrounding time is provided to you, our Network Forensics expert. Since this occurred in the Active Directory VLAN, it is suggested that we perform network threat hunting with the Active Directory attack vector in mind, specifically focusing on LLMNR poisoning.

https://app.hackthebox.com/sherlocks/747

LLMNR Poisoning Overview

Example of LLMNR poisoning

1- Its suspected by the security team that there was a rogue device in Forela's internal network running responder tool to perform an LLMNR Poisoning attack. Please find the malicious IP Address of the machine.

172.17.79.135

from the scenario we know that there is a LLMNR poisoning so we filter with UDP port 5355 we can see one ip responding to the victim and that ip isn’t the domain controller

the domain controller ip is 172.17.79.4 we find that from DNS traffic

2- What is the hostname of the rogue machine?

kali

to find the hostname we filter with the ip and DHCP