LLMNR Poisoning
LLMNR poisoning exploits Windows name resolution fallback by responding to broadcast queries with a malicious address, capturing NTLMv2 authentication hashes from victim machines.
LLMNR poisoning exploits Windows name resolution fallback by responding to broadcast queries with a malicious address, capturing NTLMv2 authentication hashes from victim machines.
Continue your mission
LLMNR (Link-Local Multicast Name Resolution) poisoning is a network-based attack that exploits the LLMNR protocol used by Windows systems to resolve hostnames when DNS fails. An attacker on the same network segment listens for LLMNR broadcast queries and responds with their own IP address, tricking the victim into sending authentication credentials to the attacker's machine. This is a form of man-in-the-middle attack commonly used in internal network penetration testing.
When a Windows machine cannot resolve a hostname through DNS, it falls back to LLMNR, broadcasting a query to all devices on the local network. The attacker runs a tool such as Responder that monitors for these broadcast queries. When a query is detected, the tool responds claiming to be the requested host. The victim machine then attempts to authenticate to the attacker, sending NTLMv2 hashes. The attacker captures these hashes and can either crack them offline using tools like Hashcat or relay them to other services in an NTLM relay attack. The entire process is passive from the attacker's perspective, requiring only network presence.
LLMNR poisoning is one of the most reliable initial foothold techniques on internal networks because LLMNR is enabled by default on most Windows systems. The attack requires no prior credentials and can yield domain user hashes within minutes of network access. Organizations should disable LLMNR and NBT-NS via Group Policy, enforce network segmentation, require SMB signing, and deploy network monitoring to detect poisoning activity on their internal segments.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.