LLMNR Poisoning

What is LLMNR?

  • Used to identify hosts when DNS fails to do so

  • Previously NBT-NS

  • Key flaw is that the services use a user's username and NTMLv2 hash when appropriately responded to

LLMNR Poisoning Overview

Attack Procedure

  • Make sure Responder is installed.

  • Start the poisoner using the command responder -I eth0 -dwv

  • If successful you will get a hash as shown in the picture below

LLMNR Hash
  • Once you have the hash you can use any password cracking tool, for example Hashcat.

LLMNR Poisoning Mitigation

  • Disable LLMNR and NBT-NS (You have to disable both)

    • To disable LLMNR: Turn OFF "Multicast Name Resolution" under Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client in the Group Policy Editor

    • To disable NBT-NS: navigate to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced Tab > WINS tab and select "Disable NetBIOS over TCP/IP"

  • If a company has to use or can't disable LLMNR/NBT-NS

    • Require Network Access Control

    • Require strong passwords

Last updated