Filters
# General
smb2
ntlmssp
ntlmssp.auth or ntlmssp.negotiate or ntlmssp.challenge
# Challenge packets
ntlmssp.messagetype == 0x00000002
ntlmssp.challenge
smb2 && ntlmssp.messagetype == 0x00000002
# Combined Filter
(llmnr or nbns) and ntlmssp
llmnr
nbns
udp.port == 5355 # LLMNR
udp.port == 137 # NBNS
Overview
- LLMNR (Link-Local Multicast Name Resolution) and NBNS (NetBIOS Name Service) are fallback name resolution protocols.
- Used when DNS fails.
- No authentication → easily spoofed.
- Attackers respond faster than legitimate hosts to capture NTLM hashes.
Attack Flow
- Victim tries to resolve hostname (e.g., \fileserver)
- DNS fails → fallback to LLMNR/NBNS
- Broadcast request sent
- Attacker responds: “I am that host”
- Victim initiates NTLM authentication
- Attacker captures NTLMv2 hash (Responder, Inveigh)
Key Detection Patterns
1. Suspicious LLMNR/NBNS Responses
- Multiple responses to same query
- Response from non-authoritative host
llmnr.flags.response == 1
nbns.flags.response == 1
2. NTLM Authentication Sequence Timing
Look for 3-step handshake:
- NTLMSSP_NEGOTIATE
- NTLMSSP_CHALLENGE
- NTLMSSP_AUTH
Detection Idea:
- Very fast sequence → attacker on same LAN
- All 3 packets within milliseconds
3. Extract NTLM Data
Fields to inspect:
- ntlmssp.auth.username
- ntlmssp.auth.domain
- ntlmssp.auth.host
- ntlmssp.ntlmv2_response
4. Repeated Name Resolution Failures
Indicators:
- Same hostname queried multiple times
- No DNS success → fallback triggered
llmnr and dns == 0
5. Unusual Source Responding
- Workstation responding to name queries instead of server
- Non-DNS server answering many queries
6. Broadcast Storm / Poisoning Tool
Indicators:
- High volume LLMNR/NBNS responses
- Same MAC responding to many names
eth.src == TARGET_MAC and (llmnr or nbns)
DFIR Workflow
-
Filter:
llmnr or nbns -
Identify queries → who is asking
-
Identify responses → who is answering
-
Check if responder is legitimate
-
Pivot to NTLM:
ntlmssp -
Track authentication sequence
-
Extract credentials
Red Flags Summary
- Multiple responses to one query
- Workstation acting as name server
- NTLM authentication over LLMNR/NBNS
- Fast NTLM handshake timing
- Repeated unresolved hostname queries
- Same MAC answering everything
Tools
- Responder (classic attack tool)
- Inveigh (PowerShell version)
- Wireshark
- Zeek (ntlm logs)
Defense
- Disable LLMNR via GPO
- Disable NetBIOS over TCP/IP
- Enforce SMB signing
- Use strong passwords (prevent cracking)
- Network segmentation
- IDS rules for NTLM over LLMNR/NBNS