Stealing Accounts: LLMNR and NBT-NS Spoofing

What are LLMNR and NetBIOS-NS? They’re both methods of resolving hostnames to IP addresses. On your network if you try to contact a system by name first of all DNS will be used, but if that fails LLMNR will be attempted followed by NetBIOS. LLMNR is the successor to NetBIOS and it supports IPv6 and multicast addresses.

If a user tries to access a system and it cannot be resolved (for example the user mistypes the address) then an LLMNR/NetBIOS request will be sent over multicast or broadcast respectively. An attacker can respond to these requests and cause the victim to connect to the attacker’s machine.


As always, the Metasploit Framework comes to the rescue with two modules to spoof/poison LLMNR and NetBIOS requests, those are:


However these modules will only cause the victims machine to connect to the attacker and won’t capture password hashes on their own, so they should be combined with these two that will!


Start the two auxiliary modules which will run as background jobs then start at least one of the capture modules (you can run both together) but remember to set an output file to make things easy:

set JOHNPWFILE /tmp/smbhashes.john 

The next step is simply patience! Wait a little while and you’re .john file will be filled with hashes from vulnerable machines – these can be cracked with John the Ripper.


There’s an alternative tool to Metasploit, since it’s always good to have a plan B. That comes in the form of Responder, a simple automated tool available from here:

It’s not hard to get running though and it’s simple and feature packed, supporting LLMNR, NetBIOS and MDNS poisoning as well as rogue HTTP/SMB/MSSQL/FTP/LDAP servers. Which modules are enabled or disabled can all be configured from within Responder.conf, but if you just want to get it up, running and poisoning for you simply run:

python -i local-ip -I interface 
python -i -I enp0s20 

Once it captures a hash it’ll display it to stdout for you!

Defending Against LLMNR and NBT-NS Poisoning

Generally speaking LLMNR and NetBIOS-NS are not required on networks and can be disabled, effectively preventing this attack. However it must be disabled on each machine on the network. So here’s the easiest way I could find to do this:

Disable LLMNR

LLMNR can be disabled estate wide through group policy:

Open Group Policy editor: Start -> Run -> gpedit.msc
Navigate to DNS Client: Local Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> DNS Client
Set “Turn Off Multicast Name Resolution” to Enabled.

Disable NetBIOS

A lot of blogs and article sites offer a very manual method of disabling NetBIOS which involves reconfiguring each interface of each machine on the network, as an alternative the following script can be set as a startup script across all machines on the network and effectively disables NetBIOS over TCP/IP on each interface automatically on system startup:

Disable NetBT on boot – you can use group policy to set the following PowerShell script to run on boot:

set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip* -Name NetbiosOptions -Value 2

If you don’t have PowerShell available then the following VBS can do it too:

WScript.Echo "[ ] Disabling NetBIOS on All Interfaces"

Set ObjWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\.rootdefault:StdRegProv")
ObjWMI.EnumKey &H80000002, "SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces", arrSubKeys

If IsNull(arrSubKeys) Then WScript.Quit

WScript.Echo "[*] Searching for Network Adapaters."
For Each Adapter In arrSubKeys
 WScript.Echo "[+] Disabling NetBT on " & Adapter
 objWMI.SetDWORDValue &H80000002, "SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces" & Adapter, "NetbiosOptions", 2

WScript.Echo "[+] DONE: Disabling NetBIOS on All Interfaces"

Read More