· r00t · Tutorials  · 2 min read

LLMNR in Internal Penetration Tests

During internal infrastructure penetration tests, one common finding we come across is LLMNR (Link-Local Multicast Name Resolution) being enabled on Windows environments.

During internal infrastructure penetration tests, one common finding we come across is LLMNR (Link-Local Multicast Name Resolution) being enabled on Windows environments.

During internal infrastructure penetration tests, one common finding we come across is LLMNR (Link-Local Multicast Name Resolution) being enabled on Windows environments. While seemingly harmless, LLMNR can be exploited to launch credential harvesting and relay attacks, making it a low-hanging fruit for internal attackers.

In this post, we’ll explain what LLMNR is, how it’s abused in real-world attacks, and—most importantly—how to fix it.

What Is LLMNR?

LLMNR stands for Link-Local Multicast Name Resolution. It’s used by Windows machines to resolve hostnames to IPs when DNS fails. It broadcasts a request like “Does anyone know where this hostname is?” on the local network.

It’s largely unnecessary in enterprise networks and introduces a significant attack vector.

How Attackers Exploit LLMNR

1. Poisoning the Request

Attackers use tools like Responder or Inveigh to spoof the requested host during a failed name resolution.

2. Capturing NTLMv2 Hashes

The victim authenticates using NTLM, and the attacker captures a challenge-response hash which can be:

  • Cracked offline
  • Relayed to another service

3. Lateral Movement

Once cracked or relayed, the attacker may gain access to file shares, internal tools, or even domain accounts.

Why LLMNR Is Still Around

It’s enabled by default on Windows and often overlooked in older machines or unmanaged devices. This makes it a go-to target for internal attackers during pentests.

How to Fix It

Via Group Policy:

  1. Open gpedit and go to:
    Computer Configuration > Administrative Templates > Network > DNS Client
  2. Set Turn off Multicast Name Resolution to Enabled

Apply this across your domain using GPO.

Disable NBT-NS

NBT-NS, is also vulnerable.

  1. Go to Network Adapter > IPv4 Settings > Advanced > WINS
  2. Choose Disable NetBIOS over TCP/IP

Apply via group policy or your endpoint management tool. This can also be disabled through the DHCP server with advanced scope options settings panel.

Disabled through DHCP server

Final Thoughts

LLMNR is a common finding in internal tests and is easily exploited. Disabling it is a simple win that improves internal security and makes attacker life harder.

Want to test your internal environment?
Our internal pentest team can help identify LLMNR risks and much more. Get in touch to learn more.

[Top]

Share:
Back to Blog

Related Posts

View All Posts »