Last Updated On July 10, 2018
When LLMNR protocol was introduced within Microsoft Windows Vista, attackers quickly identified ways to take advantage of the way the protocol functions on a local network. Since the purpose of this protocol is to assist IPv4 and IPv6 systems with resolving DNS names to IP addresses, the way it attempts to resolve DNS names can be manipulated.
Essentially, when a system with NBNS and LLMNR is enabled attempts to resolve a DNS name to its IP address, the following procedures are run:
- The system checks its local hosts file for static DNS to IP address mappings.
- If the hosts file does not have an entry, then the system asks its DNS server(s) to resolve the DNS names.
- If the DNS name does not contain the DNS to IP address mapping, then the system sends a broadcast LLMNR/NBNS query to ask other systems for assistance.
In most environments when these attacks happen, attackers captured hashed user credentials. In some other cases, clear-text credentials can be observed through this process. Once an attacker has hashed user credentials, they are then able to perform offline brute-force and dictionary attacks to attempt revealing the clear-text password.