Home

Awesome

Vindicate

Supported GitHub stars

An LLMNR/NBNS/mDNS Spoofing Detection Toolkit for network administrators

What is Vindicate?

Vindicate is a tool which detects name service spoofing, often used by IT network attackers to steal credentials (e.g. Windows Active Directory passwords) from users. It's designed to detect the use of hacking tools such as Responder, Inveigh, NBNSpoof, and Metasploit's LLMNR, NBNS, and mDNS spoofers, whilst avoiding false positives. This can allow a Blue Team to quickly detect and isolate attackers on their network. It takes advantage of the Windows event log to quickly integrate with an Active Directory network, or its output can be piped to a log for other systems.

There's a diagram explaining spoofing attacks and how Vindicate works on the wiki.

Requires .NET Framework 4.5.2

What is LLMNR/NBNS/mDNS spoofing and why do I need to detect it?

TL;DR - Attackers might be stealing all sorts of credentials on your network (everything from Active Directory credentials to personal email accounts to database passwords) from right under your nose and you may be completely unaware it's happening.

Licensing

Vindicate is copyright Danny 'Rushyo' Moules and provided under a GPLv3 license without warranty. See LICENSE.

Quick Start

Download VindicateTool.

Open a non-elevated command prompt, or PowerShell prompt, and type the following in the ReleaseBinaries sub-folder:

./VindicateCLI.exe

Vindicate will now search for LLMNR/NBNS/mDNS spoofing and report back.

If you see nothing happening, try using the -v flag to get more verbose output on what Vindicate is doing.

If there is spoofing going on, you may see something like this:

Received mDNS response from 192.168.1.24 claiming 192.168.1.24
Spoofing confidence level adjusted to Medium
Received LLMNR response from 192.168.1.24 claiming 192.168.1.24
Received NBNS response from 192.168.1.24 claiming 192.168.1.24
Detected active WPAD service at 192.168.1.24 claiming HTTP Code OK
Spoofing confidence level adjusted to Certain
Detected active WPAD service at 192.168.1.24 claiming HTTP Code OK
Detected active WPAD service at 192.168.1.24 claiming HTTP Code OK
Detected service on SMB TCP port at 192.168.1.24
Detected service on SMB TCP port at 192.168.1.24
Detected service on SMB TCP port at 192.168.1.24

This indicates an ongoing attack (in this case, Responder running with defaults).

Use ESC to close the application.

Get more info

Use -v with VindicateCLI to get more verbose output.

Setting the right IP address

Vindicate will try to auto-detect your IP address. If you have multiple network interfaces, this might provide an address on the wrong network. If so, use -a to enter the IP address you'd like to use.

Enabling event log reporting

Open an elevated (Administrator) PowerShell prompt and type the following:

New-EventLog -Source "VindicateCLI" -LogName "Vindicate"

Run the CLI app with -e to enable event logging. The service uses the Windows Event Log (or Mono equivalent) automatically.

Event logs are stored under Applications and Services Log\Vindicate.

Service Installation

Run from an elevated PowerShell prompt (changing FULL\PATH\TO\ and ARGSHERE as appropriate):

New-EventLog -Source "VindicateService" -LogName "Vindicate"
sc.exe create "VindicateService" DisplayName="Vindicate" start=auto binPath="FULL\PATH\TO\ReleaseBinaries\VindicateService.exe ARGSHERE" obj="NT Authority\NetworkService"
sc.exe start "VindicateService"

The service supports all flags the CLI app does except -e (event logs are always enabled). Don't forget to update the local firewall!

Useful Stuff

Build prerequisites

Requires .NET Framework 4.5.2 and Visual Studio 2015 or higher to build. Pre-compiled binaries are available under ReleaseBinaries.

Firewall Configuration

Inbound:

Outbound:

*Ephemeral ports. Given values assume Windows Vista+

Important Event IDs

A full list can be found on the wiki.

Notes