search

LLMNR Poisoning

hashtag
What is LLMNR?

  • LLMNR (Link-Local Multicast Name Resolution) is used to identify hosts when DNS fails.

  • Previously, NBT-NS was used for this purpose.

  • Key flaw: Services may leak a user's username and NTLMv2 hash if an attacker responds to LLMNR/NBT-NS queries.

hashtag
Attack Overview

LLMNR poisoning allows an attacker to capture NTLMv2 hashes from users on the same network segment. These hashes can then be cracked offline to obtain cleartext passwords.

hashtag
Steps

hashtag
1. Run Responder

Responder is a tool that listens for LLMNR/NBT-NS requests and responds to them, tricking victims into sending their credentials.

sudo responder -I tun0 -dwP

  • -I tun0 : Specify the network interface

  • -d : Enable NetBIOS poisoning

  • -w : Enable WPAD proxy

  • -P : Enable LLMNR poisoning

hashtag
2. Wait for Hashes

When a victim attempts to resolve a name and LLMNR/NBT-NS is used, Responder will capture the NTLMv2 hash.

Example output:

hashtag
3. Crack the Hash

Use hashcat to crack the captured hash (mode 5600 for NTLMv2):

  • hashes.txt : File containing captured hashes

  • rockyou.txt : Wordlist

Example cracked output:

hashtag
Mitigation

hashtag
Primary Defense: Disable LLMNR and NBT-NS

The best defense is to disable LLMNR and NBT-NS entirely:

hashtag
Disable LLMNR

  • Open Group Policy Editor (gpedit.msc)

  • Navigate to: Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client

  • Find "Turn OFF Multicast Name Resolution"

  • Set to Enabled

hashtag
Disable NBT-NS

  • Go to Network Connections

  • Right-click network adapter > Properties

  • Select TCP/IPv4 Properties

  • Click Advanced > WINS tab

  • Select "Disable NetBIOS over TCP/IP"

hashtag
Alternative: If LLMNR/NBT-NS Cannot Be Disabled

If the organization must use or cannot disable LLMNR/NBT-NS:

hashtag
Network Segmentation

  • Require Network Access Control (NAC)

  • Implement proper network segmentation to limit attack scope

  • Use VLANs to isolate critical systems

hashtag
Strong Password Policy

  • Require strong user passwords:

    • Minimum 14+ characters in length

    • Limit common word usage

    • Use complex combinations (uppercase, lowercase, numbers, symbols)

  • The longer and more complex the password, the harder it is to crack the captured hash

hashtag
Additional Measures

  • Monitor for Responder activity in network logs

  • Implement SMB signing to prevent relay attacks

  • Use multi-factor authentication (MFA) where possible

  • Regular password rotation policies

hashtag
Summary

  • LLMNR/NBT-NS poisoning is a common way to capture Windows credentials on internal networks

  • Use Responder to capture hashes, then crack them with hashcat

  • Primary mitigation: Disable LLMNR and NBT-NS completely

  • If disabling isn't possible: Implement NAC, strong passwords (14+ chars), and network segmentation

PreviousActive Directory TechniquesNextKerberoasting

Last updated