LLMNR Poisoning

What is LLMNR?

• Used to identify hosts when DNS fails to do so

• Previously NBT-NS

• Key flaw is that the services use a user's username and NTMLv2 hash when appropriately responded to

Attack Procedure

• Make sure Responder is installed.

• Start the poisoner using the command responder -I eth0 -dwv

• If successful you will get a hash as shown in the picture below

• Once you have the hash you can use any password cracking tool, for example Hashcat.

LLMNR Poisoning Mitigation

• Disable LLMNR and NBT-NS (You have to disable both)

  • To disable LLMNR: Turn OFF "Multicast Name Resolution" under Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client in the Group Policy Editor

  • To disable NBT-NS: navigate to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced Tab > WINS tab and select "Disable NetBIOS over TCP/IP"

• If a company has to use or can't disable LLMNR/NBT-NS

  • Require Network Access Control

  • Require strong passwords