BCY-ADV-2026-007
TECHNIQUE
LLMNR & NBT-NS Poisoning — Responder
MITRE T1557.001 · Silent Credential Theft · No User Interaction Required
MITRE T1557.001LLMNRNetBIOSResponderNTLM HashesNetworkNo CVE
Prepared by Warren Barr · Barr Cyber LLC · barr-cyber.com · May 2026
What This Is
LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are broadcast name resolution protocols that Windows falls back to when DNS fails. Any attacker on the same network can respond to these broadcasts, impersonating the requested host and capturing NTLM authentication hashes from the victim — without any user interaction. The victim machine attempts to authenticate to the attacker-controlled host automatically.
This attack requires no exploit, no CVE, no user interaction. An attacker running Responder on a laptop plugged into or connected to the same network silently harvests NTLM hashes from every Windows machine that attempts name resolution. On a hotel or office network this includes every machine on the subnet.
Technique Details
MITRE ATT&CK: T1557.001 — Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
No CVE: Protocol design weakness — not a software bug
Tools: Responder, Inveigh, metasploit auxiliary/spoof/llmnr
Credential Type: NTLMv1 / NTLMv2 hashes — crackable offline or relayable directly
How It Works
When a Windows machine cannot resolve a hostname via DNS (mistyped share, disconnected resource, network hiccup), it broadcasts LLMNR and NBT-NS queries to the local network segment asking “does anyone know where <hostname> is?” Responder answers “yes, it’s me” and the victim machine attempts to authenticate to the attacker using NTLMv2. The hash is captured. The attacker can then crack it offline (commonly successful against weak passwords) or relay it directly to authenticate to other machines as the victim without knowing the plaintext password.
Detection
Check if LLMNR is disabled (PowerShell):
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" `
-Name EnableMulticast -ErrorAction SilentlyContinue
# Safe result:
EnableMulticast : 0
Check NetBIOS status on adapters:
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration
foreach ($a in $adapters) {
Write-Host "$($a.Description): TcpipNetbiosOptions = $($a.TcpipNetbiosOptions)"
}
# Safe result — value 2 = NetBIOS disabled:
Ethernet: TcpipNetbiosOptions = 2
Windows Event Log — detect Responder activity:
# Event ID 4648 — explicit credential logon to unexpected host
# Event ID 4625 — failed logon attempts from unexpected source
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4648} |
Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-24)} |
Select-Object TimeCreated, Message | Format-List
IOCs
Protocol LLMNR (UDP 5355) and NBT-NS (UDP 137) broadcast traffic
Attack Tool Responder — github.com/lgandx/Responder
Hash Type NTLMv1 / NTLMv2 — captured in Responder log files
Crack Tool Hashcat mode 5600 (NTLMv2) or mode 1000 (NTLM)
Relay Tool ntlmrelayx.py (Impacket) — relay to SMB/LDAP/HTTP
Network Traffic Unsolicited LLMNR/NBT-NS responses from unexpected host
Event ID 4648 — logon with explicit credentials to attacker host
Event ID 4625 — failed logon from attacker's relay attempts
Mitigation — PowerShell Commands
Sources
BCY-ADV-2026-007 · Published May 2026 · Barr Cyber LLC · Kalispell, MT
Barr Cyber — Network Hardening & Security
LLMNR and NetBIOS poisoning are disabled as standard controls in every Barr Cyber network hardening engagement — verified at registry and adapter level with command output documented.
Get in Touch →