LLMNR Poisoning

• used to identify hosts when DNS fails to do so

• previous name NBT-NS

• Key flaw is that services utilize a user's username and NTLMv2 hash when appropriately responded to

Attacks

Responder

$ sudo responder -I eth0 -dP

Defense

Group Policy

• Administrative Templates

  • Network

    • DNS Client

      • Turn off Multicast Name Resolution

Require Network Access Control

• Restrict by MAC address, etc.

• Require strong user passwords