LLMNR (Link-Local Multicast Name Resolution) poisoning is a network attack where hackers exploit Windows systems attempting to resolve hostnames when DNS lookups fail.
This guide explains how LLMNR poisoning works and shows you how to protect your network against this common attack vector.
What is LLMNR?
LLMNR serves as a backup name resolution protocol that Windows uses when DNS resolution fails to identify hostnames.
How LLMNR Poisoning Works
- A user attempts to access a network resource using an incorrect or mistyped hostname
- DNS resolution fails, triggering LLMNR/NBT-NS broadcasts
- Attacker responds to these broadcasts, impersonating the requested resource
- Target system sends authentication credentials to the attacker
- Attacker captures and cracks the NTLMv2 hash offline
Common Attack Tools
- Responder – Most popular tool for LLMNR poisoning
- Metasploit’s auxiliary/spoof/llmnr/llmnr_response
- Inveigh – PowerShell-based LLMNR/NBT-NS spoofer
Detection & Prevention
- Disable LLMNR through Group Policy: Computer Configuration > Administrative Templates > Network > DNS Client > Turn Off Multicast Name Resolution
- Disable NBT-NS: Network Adapter Properties > IPv4 Properties > Advanced > WINS tab > Disable NetBIOS over TCP/IP
- Use strong password policies requiring complex passwords
- Monitor network traffic for suspicious LLMNR/NBT-NS activity
- Implement Network Access Control (NAC)
Mitigation Steps for System Administrators
| Action | Implementation |
|---|---|
| DNS Configuration | Ensure proper DNS server settings across all devices |
| Network Segmentation | Implement VLANs and network isolation |
| Monitoring | Deploy IDS/IPS solutions to detect poisoning attempts |
Testing for LLMNR Vulnerabilities
Use these tools responsibly and only on networks you have permission to test:
- Responder:
python Responder.py -I eth0 -wrfv - Wireshark: Filter for LLMNR packets using
llmnrfilter - Nmap: Scan for NBT-NS services with
nmap -sV -p137 target-ip
Contact your network security team or a qualified penetration tester if you need help assessing your network’s vulnerability to LLMNR poisoning.
Additional Resources
Incident Response
If LLMNR poisoning is detected on your network, follow these immediate response steps:
- Identify and isolate affected systems
- Reset compromised credentials
- Collect and analyze network logs
- Document the incident timeline
- Implement additional security controls
Advanced Protection Measures
Network Hardening
- Deploy 802.1X authentication
- Implement DNS sinkholing
- Use DNSSEC where possible
- Configure SMB signing
Monitoring Solutions
- Security Information and Event Management (SIEM)
- Network behavior analytics
- Endpoint Detection and Response (EDR)
Compliance Considerations
| Framework | Requirement |
|---|---|
| PCI DSS | Network security controls and monitoring |
| NIST | Access control and system integrity |
| ISO 27001 | Network security management |
Conclusion
LLMNR poisoning remains a significant threat to Windows-based networks. Organizations must implement comprehensive security controls, including disabling unnecessary name resolution protocols, maintaining strong access controls, and deploying effective monitoring solutions. Regular security assessments and employee awareness training are essential components of a robust defense strategy against LLMNR-based attacks.
FAQs
- What is LLMNR Poisoning?
LLMNR (Link-Local Multicast Name Resolution) Poisoning is an attack where a malicious actor responds to LLMNR name resolution requests, impersonating a legitimate network resource to capture authentication credentials. - How does LLMNR Poisoning work?
When a Windows system fails to resolve a hostname using DNS, it falls back to LLMNR. An attacker can listen for these requests and respond with their IP address, causing the victim’s system to send their NetNTLM hash to the attacker. - What tools are commonly used for LLMNR Poisoning?
Popular tools include Responder, Inveigh, and Metasploit’s auxiliary modules. Responder is the most widely used tool in penetration testing for LLMNR poisoning attacks. - How can LLMNR Poisoning be detected?
Detection can be achieved through network monitoring for suspicious LLMNR responses, analyzing Windows Event logs (Event ID 4697), and monitoring for unusual authentication attempts. - What mitigations exist for LLMNR Poisoning?
Mitigations include disabling LLMNR and NBT-NS in Group Policy, implementing strong network segmentation, requiring SMB signing, and using Network Access Control (NAC). - What credentials can be captured through LLMNR Poisoning?
LLMNR Poisoning can capture NetNTLM v1/v2 password hashes, which can then be cracked offline or used in relay attacks to authenticate to other services. - Is LLMNR Poisoning limited to Windows environments?
While LLMNR is primarily a Windows protocol, the attack can affect any system using LLMNR for name resolution, including some Linux distributions with LLMNR enabled. - What’s the relationship between LLMNR Poisoning and SMB Relay attacks?
LLMNR Poisoning is often used in conjunction with SMB Relay attacks, where captured NetNTLM hashes are immediately relayed to other systems for authentication, bypassing the need to crack the hash. - How does LLMNR Poisoning differ from DNS Spoofing?
LLMNR Poisoning targets the fallback name resolution protocol when DNS fails, while DNS Spoofing directly attacks the DNS resolution process by providing false DNS records. - What network ports are involved in LLMNR Poisoning?
LLMNR uses UDP port 5355 for name resolution queries, while the subsequent credential capture typically involves ports 445 (SMB) and 139 (NetBIOS).
