Link-Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows IPv4/IPv6 hosts on the same local network to resolve each other’s names without a DNS server. It acts as a fallback for name resolution when DNS fails, but is considered insecure due to vulnerability to spoofing and redirection attacks. Key Aspects of LLMNR
Purpose: To provide hostname resolution for devices (like printers or workstations) on the same local network segment when a DNS server is unavailable. Functionality: If DNS fails, a host sends a multicast query (UDP port 5355) asking for the IP address of a name, and the machine with that name responds directly. Implementation: Enabled by default in Windows Vista and later, it is also implemented in systemd-resolved for Linux. Security Risks: Because there is no authentication mechanism, an attacker on the same network can respond to LLMNR queries (poisoning) to intercept traffic, leading to credential theft. Recommendations: It is highly recommended to disable LLMNR in corporate environments to prevent machine-in-the-middle attacks. Alternatives: Modern networks favor mDNS (Multicast DNS) as a more secure, standard alternative. How to Disable LLMNR (Windows) Open the Local Group Policy Editor (gpedit.msc). Navigate to Computer Configuration > Administrative Templates > Network > DNS Client. Double-click Turn off multicast name resolution. Select Enabled to disable the protocol.
LLMNR (Link-Local Multicast Name Resolution) penetration testing exploits a Windows protocol designed for local network name resolution when DNS fails. Testers use tools like Responder to trick machines into revealing user hashes, enabling credential hijacking or relay attacks on local networks. It is often tested alongside mDNS and NetBIOS-NS.
Usage Examples & Techniques (LLMNR/NBT-NS Pentest)
Hash Harvesting: Actively listening for network misconfigurations to capture NTLMv2 hashes from machines looking for invalid network shares (e.g., typos in file paths). Credential Relay (SMB Relay): Forwarding captured hashes to other machines on the network to execute remote commands or gain unauthorized access before the user attempts to log in. A Man-in-the-Middle (MitM)): Spoofing a legitimate service (like a network printer or server) to force authentication to the attacker’s machine.
Synonyms/Related Techniques Responder Attack LLMNR/NBT-NS Poisoning NetBIOS Name Service (NBT-NS) Spoofing Multicast DNS (mDNS) Poisoning
Key Aspects: Mechanism: LLMNR works by broadcasting a query to all hosts on a subnet if DNS fails, allowing attackers to reply first and masquerade as the requested resource. Risk: It is considered a legacy protocol and is often disabled in secure environments to prevent these exact vulnerabilities.