{"id":13826964,"url":"https://github.com/rushyo/vindicatetool","last_synced_at":"2026-01-16T08:37:19.487Z","repository":{"id":46104118,"uuid":"113677123","full_name":"Rushyo/VindicateTool","owner":"Rushyo","description":"LLMNR/NBNS/mDNS Spoofing Detection Toolkit","archived":false,"fork":false,"pushed_at":"2022-04-03T14:34:47.000Z","size":186,"stargazers_count":57,"open_issues_count":4,"forks_count":8,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-10-26T11:31:48.911Z","etag":null,"topics":["blue-team","detection","dotnet","honeypot","infosec","inveigh","llmnr","mdns","nbn","netbios","netbiosns","responder","security","spoofing","wpad"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Rushyo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-12-09T14:51:46.000Z","updated_at":"2024-10-14T12:35:06.000Z","dependencies_parsed_at":"2022-07-19T15:04:32.220Z","dependency_job_id":null,"html_url":"https://github.com/Rushyo/VindicateTool","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Rushyo%2FVindicateTool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Rushyo%2FVindicateTool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Rushyo%2FVindicateTool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Rushyo%2FVindicateTool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Rushyo","download_url":"https://codeload.github.com/Rushyo/VindicateTool/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225481113,"owners_count":17481155,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blue-team","detection","dotnet","honeypot","infosec","inveigh","llmnr","mdns","nbn","netbios","netbiosns","responder","security","spoofing","wpad"],"created_at":"2024-08-04T09:01:47.587Z","updated_at":"2026-01-16T08:37:19.440Z","avatar_url":"https://github.com/Rushyo.png","language":"C#","funding_links":[],"categories":["\u003ca id=\"295e14c39bf33cd5136be8ced9383746\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"f855508acfc870b1f0d90ff316f1dd75\"\u003e\u003c/a\u003e伪造\u0026\u0026Spoof"],"readme":"# Vindicate\n\n![Supported](https://img.shields.io/badge/supported-yes%20(2022)-brightgreen)\n[![GitHub stars](https://img.shields.io/github/stars/Rushyo/VindicateTool.svg?style=social\u0026label=Star\u0026maxAge=2592000)](https://GitHub.com/Rushyo/VindicateTool/stargazers/)\n\nAn LLMNR/NBNS/mDNS Spoofing Detection Toolkit for network administrators\n\n## What is Vindicate?\n\nVindicate is a tool which detects name service spoofing, often used by IT network attackers to steal credentials (e.g. Windows Active Directory passwords) from users. It's designed to detect the use of hacking tools such as [Responder](https://github.com/SpiderLabs/Responder), [Inveigh](https://github.com/Kevin-Robertson/Inveigh), [NBNSpoof](https://en.kali.tools/all/?tool=881\u0026PageSpeed=noscript), and Metasploit's [LLMNR](https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response), [NBNS](https://www.rapid7.com/db/modules/auxiliary/spoof/nbns/nbns_response), and [mDNS](https://www.rapid7.com/db/modules/auxiliary/spoof/mdns/mdns_response) spoofers, whilst avoiding false positives. This can allow a Blue Team to quickly detect and isolate attackers on their network. It takes advantage of the Windows event log to quickly integrate with an Active Directory network, or its output can be piped to a log for other systems.\n\nThere's a diagram explaining spoofing attacks and how Vindicate works [on the wiki](https://github.com/Rushyo/VindicateTool/wiki/How-it-works).\n\nRequires .NET Framework 4.5.2 \n\n### What is LLMNR/NBNS/mDNS spoofing and why do I need to detect it?\n\n* pentest.blog: [What is LLMNR \u0026 WPAD and How to Abuse Them During Pentest ?](https://pentest.blog/what-is-llmnr-wpad-and-how-to-abuse-them-during-pentest/)\n* Aptive Consulting: [LLMNR / NBT-NS Spoofing Attack Network Penetration Testing](https://www.aptive.co.uk/blog/llmnr-nbt-ns-spoofing/)\n* GracefulSecurity: [Stealing Accounts: LLMNR and NBT-NS Spoofing](https://www.gracefulsecurity.com/stealing-accounts-llmnr-and-nbt-ns-poisoning/)\n\nTL;DR - Attackers might be stealing all sorts of credentials on your network (everything from Active Directory credentials to personal email accounts to database passwords) from right under your nose and you may be completely unaware it's happening.\n\n### Licensing\n\nVindicate is copyright Danny 'Rushyo' Moules and provided under a GPLv3 license without warranty. See LICENSE.\n\n## Quick Start\n\nDownload VindicateTool.\n\nOpen a non-elevated command prompt, or PowerShell prompt, and type the following in the `ReleaseBinaries` sub-folder:\n\n```powershell\n./VindicateCLI.exe\n```\n\nVindicate will now search for LLMNR/NBNS/mDNS spoofing and report back.\n\nIf you see nothing happening, try using the `-v` flag to get more verbose output on what Vindicate is doing.\n\nIf there is spoofing going on, you may see something like this:\n\n```\nReceived mDNS response from 192.168.1.24 claiming 192.168.1.24\nSpoofing confidence level adjusted to Medium\nReceived LLMNR response from 192.168.1.24 claiming 192.168.1.24\nReceived NBNS response from 192.168.1.24 claiming 192.168.1.24\nDetected active WPAD service at 192.168.1.24 claiming HTTP Code OK\nSpoofing confidence level adjusted to Certain\nDetected active WPAD service at 192.168.1.24 claiming HTTP Code OK\nDetected active WPAD service at 192.168.1.24 claiming HTTP Code OK\nDetected service on SMB TCP port at 192.168.1.24\nDetected service on SMB TCP port at 192.168.1.24\nDetected service on SMB TCP port at 192.168.1.24\n```\n\nThis indicates an ongoing attack (in this case, Responder running with defaults).\n\nUse ESC to close the application.\n\n### Get more info\n\nUse `-v` with VindicateCLI to get more verbose output.\n\n### Setting the right IP address\n\nVindicate will try to auto-detect your IP address. If you have multiple network interfaces, this might provide an address on the wrong network. If so, use `-a` to enter the IP address you'd like to use.\n\n### Enabling event log reporting\n\nOpen an elevated (Administrator) PowerShell prompt and type the following:\n\n```powershell\nNew-EventLog -Source \"VindicateCLI\" -LogName \"Vindicate\"\n```\n\nRun the CLI app with `-e` to enable event logging. The service uses the Windows Event Log (or Mono equivalent) automatically.\n\nEvent logs are stored under `Applications and Services Log\\Vindicate`.\n\n## Service Installation\n\nRun from an elevated PowerShell prompt (changing FULL\\PATH\\TO\\ and ARGSHERE as appropriate):\n\n```powershell\nNew-EventLog -Source \"VindicateService\" -LogName \"Vindicate\"\nsc.exe create \"VindicateService\" DisplayName=\"Vindicate\" start=auto binPath=\"FULL\\PATH\\TO\\ReleaseBinaries\\VindicateService.exe ARGSHERE\" obj=\"NT Authority\\NetworkService\"\nsc.exe start \"VindicateService\"\n```\n\nThe service supports all flags the CLI app does except `-e` (event logs are always enabled). Don't forget to update the local firewall!\n\n## Useful Stuff\n\n### Build prerequisites\n\nRequires .NET Framework 4.5.2 and Visual Studio 2015 or higher to build. Pre-compiled binaries are available under ReleaseBinaries.\n\n### Firewall Configuration\n\nInbound:\n\n* UDP Local 49501 \u003c- Remote 5355 (LLMNR)\n* UDP Local 49502 \u003c- Remote 137 (NBNS)\n* UDP Local 5353 \u003c- Remote 5353 (mDNS)\n\nOutbound:\n\n* UDP Local 49501 -\u003e Remote 5355 (LLMNR)\n* UDP Local 49502 -\u003e Remote 137 (NBNS)\n* UDP Local 5353 -\u003e Remote 5353 (mDNS)\n* TCP Local 49152-65535* -\u003e Remote 80 (WPAD)\n* TCP Local 49152-65535* -\u003e Remote 443 (WPAD)\n* TCP Local 49152-65535* -\u003e Remote 139 (SMB)\n\n*Ephemeral ports. Given values assume Windows Vista+\n\n### Important Event IDs\n\n* 7 - This indicates that Vindicate has upgraded its confidence in an assessment that spoofing* is going on.\n* 8 - Detected a WPAD (Web Proxy Auto-Detection) service at a spoofed* location.\n* 11 - Detected an SMB (Server Message Block) service at a spoofed* location.\n* 6 - Received a spoofed* response to a name lookup.\n\nA full list can be found [on the wiki](https://github.com/Rushyo/VindicateTool/wiki/Event-IDs).\n\n### Notes\n\n* *By default, Vindicate uses lookup names that shouldn't exist in any network but look semi-realistic to an attacker who might be watching, to avoid false positives where you have real services that might rely on these name lookups. If systems with those names really do exist on your network, Vindicate will give false positives.\n* Due to the above, Vindicate works best with custom flags that are tuned to your environment. Use `-h` to get help.\n* As Vindicate uses a partial custom name service implementation written in .NET, it works even if multicast resolution is disabled on the client.\n* Vindicate currently mostly relies on getting a WPAD response, with the SMB detection being very basic (it just checks if an SMB port is in use). If Vindicate is adopted and used I'll write an SMB client to properly verify SMB servers and increase Vindicate's confidence in its detection.\n* Vindicate can detect mDNS spoofing (often associated with Mac OS), but this detection won't work on Windows if multicast resolution is enabled as a required port is in use by the operating system. Consider [disabling it](http://www.computerstepbystep.com/turn-off-multicast-name-resolution.html) for security reasons anyway (and reset the DNS Service to apply the changes).\n* Vindicate does not require administrative permissions to run and is sad if you run it with high privileges.\n* Vindicate can send false credentials to an attacker to frustrate their movements. Check out the `-u`, `-p`, and `-d` flags.\n* Vindicate has been written with cross-platform use in mind, but has not been tested for this purpose yet. If this is desired, let me know with an issue and your platform.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frushyo%2Fvindicatetool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frushyo%2Fvindicatetool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frushyo%2Fvindicatetool/lists"}