LLMNR (Link-Local Multicast Name Resolution) is a protocol used by Windows machines to resolve hostnames on a local network when DNS fails. It operates over multicast, meaning a machine broadcasts a query asking “Who has this hostname?” and any machine on the subnet can respond.

LLMNR poisoning occurs when an attacker responds to these queries with their own IP, impersonating the requested host. When a victim attempts to authenticate to the fake host (e.g., accessing a file share), their system sends authentication data, including NTLM hashes, to the attacker. These hashes can then be captured and potentially cracked offline to obtain the plaintext password.

In short: LLMNR poisoning exploits the trust in local network name resolution to trick victims into revealing credentials to a malicious machine