Victim tries to access a share

• A user types in \\\\fileserver\\share or an application references that UNC path.
• If DNS can’t resolve fileserver, Windows falls back to LLMNR.

Victim broadcasts query

Who has FILESERVER? (LLMNR request)

Attacker (Responder) replies

I am FILESERVER, my IP is 192.168.1.50

Victim connects to attacker

• Now the victim thinks the attacker is \\\\fileserver.
• It tries to access \\\\192.168.1.50\\share.

Windows automatically sends NTLM authentication

• Victim machine sends:
  • Username (e.g., CORP\\alice)
  • Domain/workstation info
  • NTLMv2 challenge-response hash

Example captured by Responder:

Username: CORP\\alice
Hostname: VICTIM-PC
NTLMv2 Hash: alice::CORP:1122334455667788:99aabbccddeeff...

Attacker now has the hash

• This can be:
  • Cracked offline with tools like hashcat
  • Or used in relay attacks to authenticate to another system without cracking (if SMB signing isn’t enforced).