Say a user mistypes a host name and DNS resolution fails, Windows will automatically send an LLMNR request, and link-local servers of course will say that this mistyped host name is not known to them. An attacker with a rogue server (e.g. Responder: sudo responder -I tun0 -rdwv
) can respond with “yes, I know this domain name” and get the user’s machine to send the username & NetNTLM hash. With the hash, the attacker can either crack the hash (note that NetNTLM hashes cannot be used for pass-the-hash) or do SMB relay.
Mitigations
If LLMNR is not required:
- disable LLMNR (“turn off multicast name resolution”)
- disable NBT-NS (“Disable NetBIOS over TCP/IP”)
If LLMNR / NBT-NS is necessary on the network:
- Require Network Access Control
- Set a strong password policy (e.g., longer than 14 characters and no dictionary words)