Say a user mistypes a host name and DNS resolution fails, automatically sends an LLMNR request, and link-local servers of course will say that this mistyped host name is not known to them. An attacker with a rogue server (e.g. Responder: sudo responder -I tun0 -rdwv) can respond with yes and get the user’s machine to send his username & NetNTLM hash. With the hash, the attacker can either crack the hash or do SMB relay.
Mitigations
If LLMNR is not required:
- disable LLMNR (“turn off multicast name resolution”)
- disable NBT-NS (“Disable NetBIOS over TCP/IP”)
If LLMNR / NBT-NS is necessary on the network:
- Require Network Access Control
- Set a strong password policy (longer than 14 characters and no dictionary words)