Say a user mistypes a host name and DNS resolution fails, Windows will automatically send an LLMNR request, and link-local servers of course will say that this mistyped host name is not known to them. An attacker with a rogue server (e.g. Responder: sudo responder -I tun0 -rdwv) can respond with “yes, I know this domain name” and get the user’s machine to send the username & NetNTLM hash. With the hash, the attacker can either crack the hash (note that NetNTLM hashes cannot be used for pass-the-hash) or do SMB relay.

Mitigations

If LLMNR is not required:

  • disable LLMNR (“turn off multicast name resolution”)
  • disable NBT-NS (“Disable NetBIOS over TCP/IP”)

If LLMNR / NBT-NS is necessary on the network:

  • Require Network Access Control
  • Set a strong password policy (e.g., longer than 14 characters and no dictionary words)