Understanding LLMNR Poisoning
Link-Local Multicast Name Resolution (LLMNR) poisoning is one of the most reliable initial access and lateral movement techniques in an Active Directory environment. Despite being an older protocol, it remains enabled by default on many modern Windows systems, making it a lucrative target for Red Teams and malicious actors alike.
In this tutorial, we will explore what LLMNR is, how the poisoning attack works, and how to execute it in a simulated environment. We will also cover essential mitigation strategies to protect your network.
[!TIP]
Interactive Learning: To get hands-on experience without setting up a lab, check out our interactive LLMNR Poisoning Lab.
1. The Theory: What is LLMNR?
When a Windows machine attempts to connect to a resource (like a file share \\fileserver), it must resolve that hostname to an IP address. The standard resolution process typically follows this order:
- Local Hosts File: The system checks `C:\Windows\System32\drivers\etc\hosts`.
- DNS Cache: It checks its local DNS cache.
- DNS Server: It queries the configured DNS server.
If all of the above fail, Windows falls back to broadcast protocols to ask the local network, "Hey, does anyone know who fileserver is?"
This is where LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) come into play. The machine broadcasts a request to the entire local subnet.
The Vulnerability
Because these are broadcast protocols without inherent authentication, any machine on the network can respond. An attacker can listen for these broadcast requests and maliciously respond, saying, "I am fileserver! Send your authentication details to me."
When the victim machine attempts to authenticate with the "server" (the attacker), it inadvertently sends its NTLM hash.
2. Executing the Attack (The Responder Way)
The most popular tool for executing LLMNR poisoning is Responder, a Python tool created by SpiderLabs. Responder listens for NBT-NS, LLMNR, and MDNS broadcasts and answers them, while simultaneously hosting rogue services (SMB, HTTP, SQL, etc.) to capture hashes.
Step 1: Network Reconnaissance
Before running Responder, you need to identify your network interface.
ip aIdentify the interface connected to the target network (e.g., eth0 or tun0).
Step 2: Launching Responder
Start Responder, specifying the interface you want to listen on:
sudo responder -I eth0 -rdw- `-I eth0`: Specifies the interface.
- `-r`: Answers NetBIOS wpad queries.
- `-d`: Answers NetBIOS domain suffix queries.
- `-w`: Starts the WPAD rogue proxy server.
Step 3: The Waiting Game
Once Responder is running, it silently listens on the network. The attack relies on a user making a typo (e.g., typing \\fileserevr instead of \\fileserver) or a script attempting to access a non-existent resource.
Step 4: Capturing the Hash
When a victim broadcasts a request for a non-existent host, Responder immediately replies. The victim, believing Responder is the legitimate server, attempts to authenticate using NTLMv2.
Responder captures this challenge-response sequence and displays the NTLMv2 hash in the console.
[SMB] NTLMv2-SSP Client : 192.168.1.15
[SMB] NTLMv2-SSP Username : CONTOSO\jsmith
[SMB] NTLMv2-SSP Hash : jsmith::CONTOSO:1122334455667788:0000000000000000...NTLMv2 Hashes
It's crucial to understand that Responder captures the NTLMv2 hash, *not* the plaintext password. Furthermore, this hash cannot be used directly in a Pass-the-Hash (PtH) attack. It must be cracked offline to retrieve the plaintext password, or relayed to another machine using a tool like `ntlmrelayx`.
3. Cracking the Hash
Once you have the NTLMv2 hash, the next step is offline cracking. Tools like Hashcat or John the Ripper are typically used for this phase.
Using Hashcat
First, save the captured hash into a text file (e.g., hashes.txt).
Then, run Hashcat, specifying the hash type (-m 5600 for NetNTLMv2) and a wordlist (like rockyou.txt):
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txtIf the user's password is in the wordlist (and isn't overly complex), Hashcat will quickly recover the plaintext password.
4. Defending Against LLMNR Poisoning
The best way to prevent LLMNR and NBT-NS poisoning is to disable these protocols entirely if they are not required. In most modern Active Directory environments, standard DNS is sufficient, and these fallback protocols are unnecessary.
Mitigation Steps
- Disable LLMNR via Group Policy (GPO):
- Navigate to: `Computer Configuration` -> `Administrative Templates` -> `Network` -> `DNS Client`
- Find the policy: `Turn off multicast name resolution`
- Set it to Enabled.
- Disable NBT-NS via DHCP or Local Network Adapters:
- This can be configured in the DHCP scope options (Option 43) or manually disabled on individual network adapters under the IPv4 Advanced settings (WINS tab).
- Enforce SMB Signing:
- If you cannot disable LLMNR/NBT-NS, enforcing SMB signing across the domain prevents attackers from relaying the captured NTLMv2 hashes to other machines.
- Use Strong Passwords:
- Even if a hash is captured, a strong, complex password significantly increases the time required for offline cracking, rendering the attack less effective.
Conclusion
LLMNR poisoning remains a staple in penetration testing due to its high success rate in default Windows configurations. By understanding how the attack works and implementing proper Group Policy controls, organizations can easily close this common security gap.
Ready to try it yourself in a safe environment? Head over to our Interactive LLMNR Poisoning Lab to experience the attack from both the attacker and defender perspectives.