LLMNR/NBT-NS Poisoning - from Linux
A Man-in-the-Middle attack on LLMNR and NBT-NS broadcasts to capture NTLMv1/NTLMv2 password hashes. Captured hashes can be cracked offline or used in SMB Relay attacks.
LLMNR & NBT-NS Primer
- LLMNR (Link-Local Multicast Name Resolution) — fallback when DNS fails; hosts on the same local link perform name resolution for other hosts. Uses UDP port 5355.
- NBT-NS (NetBIOS Name Service) — fallback when LLMNR fails; identifies systems by their NetBIOS name. Uses UDP port 137.
The critical weakness: when LLMNR/NBT-NS are used for name resolution, any host on the network can reply. An attacker can spoof an authoritative name resolution source and capture authentication requests.
Attack Flow
- A host attempts to connect to
\\print01.inlanefreight.localbut mistypes\\printer01.inlanefreight.local - DNS responds that the host is unknown
- The host broadcasts to the local network asking if anyone knows the location of
\\printer01.inlanefreight.local - The attacker (running Responder) responds, claiming to be that host
- The victim sends an authentication request containing a username and NTLMv2 password hash
- The hash can be cracked offline or used in an SMB Relay attack
Poisoning Tools
| Tool | Description |
|---|---|
| Responder | Purpose-built Python tool to poison LLMNR, NBT-NS, and MDNS (Linux, .exe version for Windows) |
| Inveigh | Cross-platform MITM platform in C# and PowerShell for spoofing and poisoning |
| Metasploit | Built-in scanners and spoofing modules for poisoning attacks |
Protocols Targeted (Responder & Inveigh)
LLMNR, DNS, MDNS, NBNS, DHCP, ICMP, HTTP, HTTPS, SMB, LDAP, WebDAV, Proxy Auth
Responder additionally supports: MSSQL, DCE-RPC, FTP, POP3, IMAP, SMTP auth
Using Responder
Key Options
| Flag | Purpose |
|---|---|
-I | Network interface (required) |
-A | Analyze mode — passive listening, no poisoning |
-w | Start WPAD rogue proxy server (captures HTTP requests from IE with auto-detect enabled) |
-f | Fingerprint remote host OS and version |
-v | Verbose output |
-F | Force NTLM/Basic auth on wpad.dat retrieval (may cause login prompt) |
-P | Force proxy authentication (effective with -r) |
--lm | Force LM hashing downgrade for XP/2003 and earlier |
Required Ports
UDP 137, UDP 138, UDP 53, UDP/TCP 389, TCP 1433, UDP 1434,
TCP 80, TCP 135, TCP 139, TCP 445, TCP 21, TCP 3141,
TCP 25, TCP 110, TCP 587, TCP 3128, Multicast UDP 5355 and 5353
Rogue servers (e.g. SMB) can be disabled in Responder.conf.
Starting Responder
sudo responder -I ens224
Run in a tmux window while performing other enumeration tasks to maximize hash collection.
Log Files
Hashes are saved to /usr/share/responder/logs in the format:
(MODULE_NAME)-(HASH_TYPE)-(CLIENT_IP).txt
Example: SMB-NTLMv2-SSP-172.16.5.25.txt
Hashes are also stored in a SQLite database (configurable in Responder.conf).
Cracking Captured Hashes
NetNTLMv2 hashes cannot be used for pass-the-hash — they must be cracked offline.
Hashcat (Mode 5600 for NTLMv2)
hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt
- NTLMv2 = hash mode
5600 - NTLMv1 and other types: consult the Hashcat example hashes page
- These hashes can be slow to crack even on GPU rigs — large/complex passwords may be infeasible
John the Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt forend_ntlmv2
Key Takeaways
- LLMNR/NBT-NS poisoning is one of the most common ways to gain an initial foothold during internal AD assessments
- Start Responder early and let it run passively while performing other enumeration
- Cracked hashes provide cleartext credentials for credentialed enumeration or further attacks
- LLMNR/NBT-NS spoofing combined with lack of SMB signing can lead to administrative access via SMB Relay
- Collect as many hashes as possible, but prioritize cracking those for accounts that further your access