What is LLMNR Attack and how to mitigate
Before diving into the attack scenario let’s first understand the attack surface and an important part of the network called Domain Name Service.
Domain Name Service -
The service is used to map domain names to the IP address. The backend systems recognize every domain with an IP address. This service helps to map the high-level language (which humans use; a domain name) to the IP address. This is the core functionality of the DNS server.
Link-Local Multi Cast Name Resolution -
Let’s try to understand the working functionality of LLMNR and what it does in a network.
In an Active Directory network when a client/user is trying to access resources ( examples files ) from a file server that are in the same network. A Name resolution query is performed to identify the IP address of the server. The perfect and ideal scenario would be -
- The client enters the right IP address of the server and uses the resources available.
2. Now in this scenario, assuming the client enters or mistypes the domain name or the IP address of the server then the server doesn’t respond to the request because the IP address which is pointing to the DNS server is wrong and unknown.
3. Then a Multi Cast message is sent to all the available systems in the network asking for the pointed resource which is originally mistyped by the client. Since none of the systems are aware of the IP address they will not respond to the request. This is where an attacker can send a malicious response to the client saying “ the system knows the location and the IP address of the domain name.
4. Upon doing this, the client sends the NTLM hash to the malicious attacker and the attacker captures the hash using a tool called responder.
5. Now once the attacker gets hold of the hash they can now crack the NTLM hash using tools like hashcat or pass it in the network to perform pass the hash attack and gain control of the user system thereby comprising the user’s security.
Mitigation -
1. The best way to protect from these attacks is to disable LLMNR and NBT-NS which is the first version of the Name Resolution Service (later came LLMNR)
2. Having a strong password is crucial because even when the user hash is captured cracking it offline would be difficult when the user has a strong password considering pass the hash attack is not possible.
If you guys enjoyed the blog a clap would mean so much to me. It keeps me motivated to post more content on Twitter and in blogs.
Networking-
Hope this write-up was helpful. Collaboration and networking is something that I always enjoy. Let’s connect
Twitter -
Linkedin -
Happy hacking !!!
If you have reached this far, thank you for reading this article. Kindly feel free to point out any mistakes and do let me know where I can improve in writing and explaining in detail. Appreciate it!!. All the best.
