LLMNR Poisoning: Attacker and Defender Perspective

What Is LLMNR?

LLMNR (Link-Local Multicast Name Resolution) is a Windows protocol used when DNS fails to resolve a hostname.

Here’s the basic flow:

1. A machine tries to reach fileserver.company.local.
2. DNS does not respond.
3. The system broadcasts to the local network: “Does anyone know who fileserver.company.local is?”
4. Any device on the subnet can respond.

There is no built-in verification of the responder. That is the weakness.

Attacker Perspective: Answer First

Once inside a network, even with low privileges, no exploit is necessary. The only requirement is to listen for broadcasts.

When a machine sends an LLMNR request, a poisoning tool responds immediately, claiming to be the requested host. The victim system trusts the response and attempts to authenticate. An NTLMv2 hash is sent, which can be captured and reused.

How the Attack Works (Step-by-Step)

1. A user mistypes a hostname or DNS temporarily fails.
2. The victim broadcasts an LLMNR request over UDP 5355.
3. The attacker runs a poisoning tool and replies first.
4. The victim attempts NTLM authentication.
5. The attacker captures the NTLMv2 hash.
6. The hash is either cracked offline or relayed immediately to another server.

No malware deployment. No exploit chain. Just protocol abuse.

Tools Commonly Used in LLMNR Attacks

• Responder: Listens for LLMNR and NBNS broadcasts and responds maliciously to capture hashes.
• Inveigh: A PowerShell-based LLMNR and NBNS poisoner used in internal engagements.
• Hashcat: Used to crack NTLMv2 hashes offline with GPU acceleration.
• Impacket: Frequently used to perform NTLM relay attacks.

Why This Is Dangerous

Offline Password Cracking

If passwords are weak or predictable, captured NTLMv2 hashes can often be cracked. Common risk patterns include seasonal passwords or company name plus year.

NTLM Relay

The attacker forwards the authentication attempt to another server in real time. If SMB signing is not enforced, file shares may be accessed and privileged sessions established.

Defender Perspective: Why Is It Still Enabled?

LLMNR remains enabled by default in many environments. When combined with NetBIOS Name Service and missing SMB signing, it creates an easy credential capture opportunity.

How to Defend Against LLMNR Poisoning

Threat Hunter Perspective: Detecting the Poison

1. Look for Rogue Responses

• Monitor UDP port 5355 (LLMNR) and 137 (NBT-NS) traffic.
• A single IP responding to many distinct hostnames is a massive red flag.
• Use Wireshark with the udp port 5355 filter to identify unusual responders.

2. Correlate with Authentication Patterns

Hunt for patterns where LLMNR requests are immediately followed by NTLM authentication attempts (Event ID 4624/4625) toward workstations that typically do not host services.

3. Baseline and Anomaly Detection

Establish normal volumes of LLMNR traffic. Sudden spikes, especially outside typical patterns, suggest poisoning tools like Responder or Inveigh are active.

4. Deploy Intentional Detection Probes

Proactively generate fake queries for non-existent hostnames. Legitimate systems shouldn't respond. Any machine that answers is likely a poisoning tool.