LLMNR Poisoning

What is LLMNR?

  • it is Link Local Multicast Name Resolution - it's basically DNS.

  • It's used when DNS fails to identify hosts and send User hashes.

  • previously NBT-NS


What tools do we use?

responder.py -I tun0 -rdw

  • Run this in the morning or when the traffics are busy to catch user activities.

  • capture user hashes when a user type the wrong IP's itc

  • Capture hashes > hashcat it.

User type in login info, then sends attacker hashes.

To mitigate LLMNR posoning, you have to disable LLMNR and NBT-NS

To disable LLMNR --> Turn off multicast NAME resolution under local computer policy > computer configuration > administrative templates > network > DNS client in the group policy editor.

To disable NBT-NS, navigate to Network connections < network adapter properties > TCP/IPv4 properties > advanced tab > WINS tab and selevt disable netBIOS over TCP/IP/

What if a company cannot disable LLMNR/NBT-NS?

  1. Enable network access control:

  2. require strong user passwords (longer than 14 characters)

SMB relay

instead of cracking hashes that we capture with responder, we can relay the hashes to specific machines and potentially gain access

Requirements - SMB signing must me disabled on the target

- Relayed user credentials must be admin on machine


1. go to file explorer > network and enable network sharing

2. follow the steps below:

  1. Discover if a host's SMB signing is disabled


  • Nmap (use specififc script ) -- nmap --script=smb2-security-mode.nse -p445

  • Github script that does

SMB signning enabled but not required!

Create a txt file that contains a victim's machine's IP.

Edit a responder config file - gedit /etc/responder/Responder.conf

turn off SMB and HTTP.

Run the responder: responder -I eth0 -rdwv

  • set a relay machine └─# ntlmrelayx.py -tf target.txt -smb2support

  • you have to use two user machines with adminin priviledge for this attack to work! (use one to relay in)

  • enter the ip address in the file explorer on the other user machine on the target.

now you got hashes!

Last updated