Open in app

Sign in

Write

Sign in

LLMNR Poisoning

Sourav Newatia
3 min readJul 6, 2024

--

  • LLMNR stands for Local link multicast name resolution.
  • It is used to identify hosts when DNS fails to do so.
  • It does this by sending a network packet to port UDP 5355 to the multicast network address.
  • It was previously known as Netbios Name Service. (NBT-NS).
  • MITM is one approach that can be used by an attacker.

The major key flow of this is that When we respond to this service, it actually responds back to us with a username and password hash.

Question: How did it happen ? How does LLMNR come into the scene ?

Answer:

  • When a system tries to access an SMB share, it sends a request to the DNS server which then resolves the share name to the respective IP address and the requesting system can access it.
  • However, when the provided share name doesn’t exist, the system sends out an LLMNR query to the entire network.
  • This way, if any user(IP address) has access to that share, it can reply and provide the communication to the requestor.

Steps to Perform:

Tools Used: Responder ( The attacker runs responder) URL: https://github.com/lgandx/Responder

  1. Let’s take Two Machine to perform this attack,

Attacker Machine — Kali Linux, Victim Machine — Windows 10

2. Run Responder in Kali Linux

Sudo responder -I eth0

3. Go to Windows 10, In the file run \\10.0.1.6 ( IP address of responder shown in kali linux)

4. & You will be able to see the username & hash.

5. We can now save these hashes in a file hash.txt and use hashcat to crack it.

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

LLMNR Poisoning Defence:

Mitigation

The best defence in this case is to disable LLMNR and NBT-NS.

  • To disable LLMNR select “Turn OFF Multicast Name Resolution” under Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client in the Group Policy Editor.
  • To disable NBT-NS, navigate to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced tab > WINS tab and select “Disable NetBIOS over TCP/IP”.

If a company must use or cannot disable LLMNR/NBT-NS, the best course of action is to:

  • Require Network Access Control.
  • Require strong user passwords (e.g., Greater than 14 characters in length and limit common word usage). The more complex and long the password, the harder it is for an attacker to crack the hash.

--

--

Sourav Newatia

Written by Sourav Newatia

85 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams