In the context of CompTIA PenTest+, LLMNR/NBT-NS poisoning is a prevalent Man-in-the-Middle (MITM) attack technique utilized during the exploitation phase to capture credentials or gain unauthorized access. Windows environments rely on Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name S…In the context of CompTIA PenTest+, LLMNR/NBT-NS poisoning is a prevalent Man-in-the-Middle (MITM) attack technique utilized during the exploitation phase to capture credentials or gain unauthorized access. Windows environments rely on Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) as fallback protocols when standard DNS resolution fails. This usually happens when a user mistypes a server address (e.g., entering '\\printers' instead of '\\printer') or requests a host that does not exist in the DNS records.
Unlike DNS, which queries a specific authoritative server, these fallback protocols broadcast requests to the entire local subnet, effectively asking every machine if they are the requested host. The vulnerability lies in the fact that these protocols inherently trust any response.
Using tools like Responder or Inveigh, a penetration tester listens for these broadcast requests. When a victim broadcasts a query, the attacker's tool instantly spoofs a response, claiming to be the requested server. The victim's machine, accepting this spoofed identity, attempts to authenticate to the attacker to access resources. During this handshake, the victim sends their username and NTLMv2 password hash.
Once captured, the attacker has two primary vectors for exploitation: offline cracking and relaying. In offline cracking, the attacker uses tools like Hashcat to recover the plaintext password from the captured hash. Alternatively, in an SMB Relay attack, the attacker forwards the captured credentials to another machine on the network. If SMB signing is disabled and the victim has administrative privileges on the target, the attacker can execute code remotely without ever knowing the actual password. Mitigation requires disabling LLMNR via Group Policy, disabling NBT-NS on network adapters, and enforcing SMB signing.
LLMNR and NBT-NS Poisoning Guide
Why is it Important? LLMNR/NBT-NS poisoning is a critical concept for the CompTIA PenTest+ because it represents one of the most common and effective internal network attacks found in Windows Active Directory environments. It allows attackers to effortlessly capture user credentials (specifically NTLMv2 hashes) simply by waiting for network traffic, often leading to initial access or lateral movement without triggering aggressive alarms.
What is it? LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are legacy fallback protocols used by Microsoft Windows to resolve hostnames when the primary method (DNS) fails. They operate on the local subnet via broadcast or multicast.
How it Works The attack flow typically follows these steps: 1. DNS Failure: A user attempts to access a resource (e.g., a file share) but mistypes the name (e.g., typing \\prntserver instead of \\printserver). The DNS server cannot resolve this name. 2. Broadcast Query: The victim's machine falls back to LLMNR or NBT-NS and broadcasts a query to the entire local subnet: "Does anyone know the IP address of prntserver?" 3. The Poisoning: An attacker running a tool like Responder listens for these broadcasts. The tool replies to the victim: "Yes, I am prntserver, here is my IP." 4. Credential Capture: The victim machine believes the attacker is the legitimate server and attempts to authenticate, sending the user's username and NTLMv2 hash to the attacker. 5. Exploitation: The attacker captures this hash to crack it offline (using Hashcat or John the Ripper) or relays it to another machine (SMB Relay) to gain access.
Exam Tips: Answering Questions on LLMNR/NBT-NS Poisoning To successfully answer exam questions regarding this topic, focus on the following key associations:
1. Identify the Tool: If a scenario mentions capturing hashes from broadcast traffic or spoofing name resolution, the answer is usually Responder. If asked how to analyze this traffic, the answer is Wireshark.
2. Identify the Remediation: You will likely be asked how to fix this vulnerability. The correct answer is to disable LLMNR via Group Policy (Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client) and disable NBT-NS via Network Adapter settings (WINS tab). Do not choose "Implement SMB Signing" as a fix for the poisoning itself; SMB signing prevents the relaying of the hash, not the capture.
3. Recognize the Scenario: Look for keywords like "legacy protocols," "name resolution failure," "broadcast traffic," or "MitM" (Man-in-the-Middle). If a question describes a penetration tester sitting on a LAN and passively gathering credentials without port scanning, they are likely performing LLMNR/NBT-NS poisoning.