Open in app

Sign in

Write

Sign in

LLMNR Name poisoning on Active directory

Samara Almursi Risha
4 min readSep 18, 2024

--

LLMNR poisoning

Hello everyone, today we are going to talk about an Attack happening on Active directory and the machines joined this domain.

So, let’s move on to it

What is LLMNR?

LLMNR (Link-Local Multicast Name Resolution) is a network protocol used in Windows operating systems to allow devices on the same local network to resolve names to IP addresses without the need for a DNS server or once it fail to get the names. It helps devices discover each other when DNS is unavailable or not properly configured.

How it works ?

  • When a device (e.g., a computer) wants to resolve the hostname of another device but cannot find it using DNS, it sends out a multicast query to all devices on the local network using LLMNR.
  • The device with the matching hostname responds with its IP address, allowing the requesting device to connect to it.

And Now let’s talk about the actual attack :

When the DNS fail to get the name of the ip address

The client send a broadcast message asking for it

The attacker attempts that he has the name of the Ip address

once the Trust is settled the attacker gets the username , the hash of the password

First I use responder on My kali machine To capture the hashes

On the client Machine :

I am trying to enter the IP address of the attacker (so the DNS will fail to get the name of so the LLMNR protocol start to work )

I can enter anything what matters is we need to search for something that is not existed (we just need for DNS to fail that is why we use our attack IP as an example)

let’s see what happened on the attacker machine :

BOOOM , I got the hash of user called Medo.Risha in the domain

let’s crack the hash to get the password :

I used John to crack it :

Mitigation of LLMNR LLMNR poisoning

Two cases :

1:The organization that use LLMNR But don’t need it

In this case we will disable LLMNR protocol NetBIOS over TCP/IP

Let’s see how :

1: First go to Group Policy Management ->Computer Configuration->Administrative Templates ->Network->DNS client

Look for a policy called :Turn off multicast name resolution

and then we have to disable NetBIOS over TCP/IP.

Open the Network and Sharing Center on a Domain Controller.

Click Change adapter settings.

Right-click the active network adapter and choose Properties.

Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.

Click Advanced and go to the WINS tab.

Under NetBIOS setting, select Disable NetBIOS over TCP/IP.

2:The organization can’t disable it and has to use it

to mitigate :

1:Use password policy to creat unknow and strong Passwords , so it will be hard to crack the password

2:Require Network Access control for it

Now we have the come to the endo our Article please if you found any mistakes or Improvements don’t hesitate to contact me

Thanks for Your time

linkedin: https://www.linkedin.com/in/samara-risha-97a634200/

Cyber Security Awareness
Penetration Testing
Active Directory Attack
Cyber Attack Prevention
Pentesting

--

--

Samara Almursi Risha
Samara Almursi Risha

Written by Samara Almursi Risha

7 Followers
10 Following

As a dedicated computer science student, I have a strong passion for cybersecurity, with a focus on Network and Infrastructure penetration testing

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams