# LLMNR Poisoning with Responder

## LLMNR Protocol

{% embed url="<https://www.crowe.com/cybersecurity-watch/netbios-llmnr-giving-away-credentials>" %}

## Attack

Run responder in the morning and at lunchtime when users log on and log off. The responder is part of [Impacket python library.](https://www.secureauth.com/labs/open-source-tools/impacket/)&#x20;

```
python /usr/share/responder/Responder.py -I eth0 -rdw -v
```

The responder is listening for events related to protocols LLNMR, NBT-NS, and DNS/MDNS. It also spins up many services to attract targets, for example, HTTP, WPAd, SMB, SQL, LDAP, RDP, and so on.&#x20;

Wait for responses, grab the NTLMNv2 hashes, and crack them using the [hashcat.](https://hashcat.net/hashcat/)

```
hashcat -m 5600 gathered-ntlmn-hashes.txt wordlist.txt
```

## Remediation

Disable LLMNR and NetBIOS-NS, use a strong passwords which are hard to crack >14