LLMNR and NBT-NS are legacy Windows name resolution protocols that broadcast queries across local networks without authenticating responses. This design flaw allows attackers on the same subnet to intercept these broadcasts and respond with their own IP address, tricking victim machines into sending NTLMv2 credential hashes. Using the Responder tool, attackers can automate this process — capturing hashes stored in log files and a SQLite database — then crack them offline or relay them for lateral movement. The post covers the step-by-step attack mechanism, Responder's key flags and configuration options, log file structure, and mitigation recommendations such as disabling LLMNR/NBT-NS and enforcing secure authentication.
Table of contents
Scenario Example LLMNR/NBT-NS PoisoningTechnical Overview and Practical ImplementationResponder LogsStarting Responder with Default SettingsSort: