LLMNR Poisoning
What is LLMNR Poisoning?
LLMNR PoisoningAn adversary-in-the-middle technique (MITRE T1557.001) that abuses the Link-Local Multicast Name Resolution protocol on UDP/5355 to redirect victims to attacker-controlled hosts.
LLMNR (RFC 4795) is a Windows fallback name-resolution protocol used when DNS fails. Clients send a UDP/5355 multicast query for the unresolved name, and any host on the local link may answer. An attacker on the same broadcast domain responds with its own IP, then prompts the victim's SMB or HTTP client to authenticate, capturing NTLMv2 challenge-response material for offline cracking or NTLM relay. LLMNR poisoning is one of the most reliable internal-network attacks because Windows still queries it for typos, misconfigured shares, and obsolete printers. Mitigation is straightforward: disable LLMNR by group policy (Turn off Multicast Name Resolution) and rely on DNS only. Detection signals include unusual UDP/5355 traffic and Event ID 4624 logons from rogue hosts.
● Examples
- 01
An attacker on a guest VLAN harvests dozens of NTLMv2 hashes within an hour by replying to mistyped share names.
- 02
Combining LLMNR poisoning with ntlmrelayx to relay captured authentications to an unsigned SMB target.
● Frequently asked questions
What is LLMNR Poisoning?
An adversary-in-the-middle technique (MITRE T1557.001) that abuses the Link-Local Multicast Name Resolution protocol on UDP/5355 to redirect victims to attacker-controlled hosts. It belongs to the Attacks & Threats category of cybersecurity.
What does LLMNR Poisoning mean?
An adversary-in-the-middle technique (MITRE T1557.001) that abuses the Link-Local Multicast Name Resolution protocol on UDP/5355 to redirect victims to attacker-controlled hosts.
How does LLMNR Poisoning work?
LLMNR (RFC 4795) is a Windows fallback name-resolution protocol used when DNS fails. Clients send a UDP/5355 multicast query for the unresolved name, and any host on the local link may answer. An attacker on the same broadcast domain responds with its own IP, then prompts the victim's SMB or HTTP client to authenticate, capturing NTLMv2 challenge-response material for offline cracking or NTLM relay. LLMNR poisoning is one of the most reliable internal-network attacks because Windows still queries it for typos, misconfigured shares, and obsolete printers. Mitigation is straightforward: disable LLMNR by group policy (Turn off Multicast Name Resolution) and rely on DNS only. Detection signals include unusual UDP/5355 traffic and Event ID 4624 logons from rogue hosts.
How do you defend against LLMNR Poisoning?
Defences for LLMNR Poisoning typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for LLMNR Poisoning?
Common alternative names include: LLMNR spoofing, T1557.001.
● Related terms
- attacks№ 715
NBT-NS Poisoning
An adversary-in-the-middle attack that abuses legacy NetBIOS Name Service traffic on UDP/137 to spoof name responses and harvest NTLM authentications.
- attacks№ 924
Responder Attack
An attack that uses Laurent Gaffie's Responder tool to poison LLMNR, NBT-NS, and mDNS, run rogue authentication servers, and capture or relay NTLM credentials on a local network.
- attacks№ 746
NTLM Relay Attack
An adversary-in-the-middle attack (MITRE T1557.001) in which an attacker forwards a victim's NTLM authentication to another service to impersonate them without ever knowing the password.
- attacks№ 1057
SMB Relay Attack
A specific NTLM relay variant in which an attacker forwards a victim's SMB authentication to another SMB server to gain code execution or file access as the victim.
- attacks№ 790
Pass-the-Hash
A credential-reuse attack that authenticates to Windows systems using a stolen NTLM password hash instead of the cleartext password.