LLMNR (Link-Local Multicast Name Resolution) poisoning is a network-based attack that exploits the LLMNR protocol used by Windows systems to resolve hostnames when DNS fails. An attacker on the same network segment listens for LLMNR broadcast queries and responds with their own IP address, tricking the victim into sending authentication credentials to the attacker's machine. This is a form of man-in-the-middle attack commonly used in internal network penetration testing.
When a Windows machine cannot resolve a hostname through DNS, it falls back to LLMNR, broadcasting a query to all devices on the local network. The attacker runs a tool such as Responder that monitors for these broadcast queries. When a query is detected, the tool responds claiming to be the requested host. The victim machine then attempts to authenticate to the attacker, sending NTLMv2 hashes. The attacker captures these hashes and can either crack them offline using tools like Hashcat or relay them to other services in an NTLM relay attack. The entire process is passive from the attacker's perspective, requiring only network presence.
LLMNR poisoning is one of the most reliable initial foothold techniques on internal networks because LLMNR is enabled by default on most Windows systems. The attack requires no prior credentials and can yield domain user hashes within minutes of network access. Organizations should disable LLMNR and NBT-NS via Group Policy, enforce network segmentation, require SMB signing, and deploy network monitoring to detect poisoning activity on their internal segments.