What is LLMNR poisoning attack?

What is LLMNR Poisoning Attack - Securium Solutions

March 17, 2023 / By Securium Solutions

Hello everyone, I hope all of you are doing well. Today I am going to introduce you to a new attack that we should perform during pentesting or red team engagement. As you may know, mostly we exploit services more than vulnerabilities in the active directory. So, LLMNR poisoning attack is also a service of active directory.

Let’s start discussing with LLMNR poisoning attack and how can we poision it.

LLMNR (Link-Local Multicast Name Resolution) is a protocol used in Windows operating systems to resolve hostnames to IP addresses in local networks. It usually does its work when DNS fails to resolve the hostname or any share name .

However, LLMNR poisoning attack is a security threat that can exploit this protocol to intercept traffic, steal credentials, and conduct man-in-the-middle attacks. This attack works by sending fake LLMNR responses to a target machine, tricking it into sending sensitive information to the attacker instead of the intended recipient.

LLMNR poisoning attack can be carried out in various ways, attacker listens to the interface by which he/she is connected with active the directory, and when the victim request for wrong share or host the attacker sends a fake acknowledgment message and get his password NTLM hash.

Now we should see a bit more details about how to do a successful attack if LLMNR poisoning attack is enabled in the victim’s machine.

In our case, we will need kali in the same network in which the active directory is and two tools responder for capturing NTLM hash and hashcat for cracking the hash.

First, install the responder in your kali linux.

$ sudo apt install responder

                                                                                                            Installing Responder in Linux

Now, we have to start the responder to listen to the LLMNR poisoning request, and if any user requests the wrong host or shares a name we will get the NTLM hash.

To start a listener we have to assign an interface here I am using eth0 and you can see using “ifconfig” command in linux.

$ responder -I eth0

                                                                                                                Started responder on eth0

Now we have done our task, now we have only wait for if any body requests for the wrong share or host.

If any victim does so, we will get its NTLM hash.

                                                                                                                   Responder captured NTLM hash

To remediate LLMNR poisoning attack, there are a few steps that can be taken:

– Disable LLMNR poisoning attack on all devices on the network, if possible. This can help prevent the attack from being successful.

Implement secure network protocols, such as DNS-over-HTTPS or DNS-over-TLS, which encrypt DNS traffic and help prevent interception and manipulation by attackers.

– Use a network monitoring tool to detect and alert any suspicious LLMNR traffic.

– Educate employees on the risks of LLMNR poisoning attack and other types of network attacks, and implement security policies that enforce best practices for network security.


Monika Sharma

Cyber Security Intern

Table of Contents

Social Media