LLMNR Poisoning with Responder

Link-Local Multicast Name Resolution - Respond to a service with a username and password hash

LLMNR Protocol


Run responder in the morning and at lunchtime when users log on and log off. The responder is part of Impacket python library.

python /usr/share/responder/Responder.py -I eth0 -rdw -v

The responder is listening for events related to protocols LLNMR, NBT-NS, and DNS/MDNS. It also spins up many services to attract targets, for example, HTTP, WPAd, SMB, SQL, LDAP, RDP, and so on.

Wait for responses, grab the NTLMNv2 hashes, and crack them using the hashcat.

hashcat -m 5600 gathered-ntlmn-hashes.txt wordlist.txt


Disable LLMNR and NetBIOS-NS, use a strong passwords which are hard to crack >14

Last updated