LLMNR Poisoning

NetBIOS Name Service (NBT-NS), was responsible for name registration and resolution in early version of Windows Link-Local Multicast Name Resolution (LLMNR) is the successor of NBT-NS. It performs the same task as its predecessor, name resolution for hosts on the same local network LLMNR allows for the resolution of both IPv4 and IPv6 addresses into hostnames without the need for a DNS server on the local network. If a request to a DNS server fails (e.g., if a DNS server is not available), an LLMNR query is made across the local network to attempt to resolve that request

LLMNR does not require authentication to perform those name resolutions. That means that any computer on a local network can perform a LLMNR query If an attacker is listening on the local network, they can respond to those queries. This can lead to potential harmful behaviour and attacks, such as LLMNR poisoning During an LLMNR poisoning attack, the attacker is listening for LLMNR requests. When a request is made across the local network, the device responds with its own IP address redirecting network traffic The key flaw is device utilizes a Username and NTLMv2 hash when responded to.

sudo responder -I  eth0

If an LLMNR event occurs on the network and the attacker is listening, Responder can obtain sensitive information regarding the victim such as the IP address, username, and password hash

You can then use John or Hashcat to obtain the credentials of the account

PreviousAD Basics NextAD Enumeration

Last updated 2 days ago