From Broadcast to Breach: LLMNR/NBT-NS Poisoning in Action
Category:Industry News / Research & Tools
Resecurity provides an in-depth walkthrough of LLMNR/NBT-NS poisoning: unauthenticated multicast-based name resolution allows attackers on the same subnet to impersonate hosts, capture NTLMv2 hashes, and relay or crack credentials. Tools like Responder automate interception and credential capture. The post outlines PoC steps and mitigations: disable LLMNR and NetBIOS, block UDP/5355, enforce SMB signing, reduce NTLM usage, prefer Kerberos, and improve DNS hygiene. Because the attack exploits default behavior rather than a patchable CVE, many networks remain exposed without explicit policy and configuration changes.
CORTEX Protocol Intelligence Assessment
{"Business Impact":"Credential theft enables lateral movement and potential domain compromise without software exploits.","Technical Context":"LLMNR/NBT-NS spoofing; NTLMv2 capture/relay; reliance on default Windows fallback behaviors."}
Strategic Intelligence Guidance
- Disable LLMNR and NetBIOS via GPO; block UDP/5355 network-wide.
- Enforce SMB signing and restrict NTLM; prefer Kerberos-only auth.
- Harden DNS and SPNs; require FQDN usage to prevent fallbacks.
- Detect Responder/Inveigh artifacts and anomalous 4624/4625 patterns.
Vendors
Threats
Targets
Intelligence Source: From Broadcast to Breach: LLMNR/NBT-NS Poisoning in Action | Oct 15, 2025