In an Active Directory environment, multicast name resolution protocols are enabled by default.

There are several such as:

  • LLMNR (Local-Link Multicast Name Resolution)

  • NBT-NS (NetBIOS Name Service)

  • mDNS (multicast Domain Name System).

What is LLMNR? Link-Local Multicast Name Resolution (LLMNR) is a protocol used in Windows operating systems to resolve the names of neighboring computers in scenarios where the DNS resolution fails. It operates by sending multicast queries to the local network segment, allowing devices to resolve each other's names without the need for a DNS server.

When a resolution protocol fails, a Windows machine will fall back to those multicast protocols. Windows systems attempt to resolve names in the following order: DNS, LLMNR, and NBT-NS.

It is possible for an attacker to use certain tools like Responder, which will set up a SMB server waiting for requests. As soon as one of the multicast protocols is used, then an attacker can respond to these multicast or broadcast requests.

The victims are then redirected to the attacker, who asks them to authenticate in order to access what they are asking for. Thanks to tools like Responder, their authentication is then captured and returned in the form of NetNTLMv1/v2 hashes, which can then be relayed.

Practical Exploitation:

Intercepting LLMNR Requests: You can perform a Man in The Middle attack with the Responder tool using the LLMNR and NBT-NS protocol if they are misconfigured.

sudo responder -I eth0

Forging Responses with Responder: Responder detects incoming LLMNR and NBT-NS queries and responds with crafted malicious responses. These responses can redirect victims to the attacker's machine:

sudo responder -I eth0 -wrf

Thus, it is possible to:

  1. Harvesting Credentials: Responder can intercept plaintext or NetNTLMv2 hash by responding to authentication requests. When a victim attempts to access a network share, Responder captures the credentials or the NetNTLMv2 hash used for authentication.

  2. Relay Attacks and NTLM Hash Capture: Additionally, Responder can facilitate relay attacks in the complement of tools like ntlmrelayx to relay captured credentials to other computers (only if SMB Signing is disabled).


Last updated