5355/UDP
Port used by LLMNR (Link-Local Multicast Name Resolution): blocking this port at the VLAN level prevents LLMNR-based poisoning
137/UDP
Port used by NetBIOS Name Service (NBNS): should be blocked on all managed networks where NetBIOS is not required for legacy application compatibility
Responder
The primary open-source tool for LLMNR/NBNS poisoning: runs on a Linux host and automatically responds to all broadcast name queries on the local segment
NTLMv2 hash
What LLMNR poisoning captures: a challenge-response authentication hash that can be cracked with hashcat or used in NTLM relay attacks without cracking

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Windows uses several name resolution protocols in sequence when DNS fails: DNS → mDNS → LLMNR → NBNS. LLMNR and NBNS send broadcast queries to the entire local network segment: asking all hosts if anyone knows the IP for a given name. Any machine that responds first is trusted.

An attacker running Responder on the same network segment answers every LLMNR and NBNS query, then presents itself as the target server. Windows automatically begins an NTLM authentication handshake with the attacker's machine: sending the user's NTLMv2 hash in the process. The attacker captures the hash for offline cracking or NTLM relay without ever needing to exploit a vulnerability.

How Responder Captures Credentials

Attack scenario:

1. User types \\fileserv01 in Windows Explorer (mistyped \\fileserver01)
2. Windows queries DNS for fileserv01: DNS returns NXDOMAIN
3. Windows sends LLMNR broadcast: "Who has fileserv01?"
4. Attacker's Responder.py answers: "I have fileserv01: 10.0.0.99"
5. Windows initiates SMB authentication to 10.0.0.99
6. Responder captures the NTLMv2 challenge-response hash:
   jsmith::CORP:1122334455667788:AABBCC...:0101000000000000...
7. Attacker cracks with hashcat or relays to another target

Running Responder (attacker perspective: for lab/pentest understanding):

# From Kali Linux on same network segment as target
python3 Responder.py -I eth0 -rdwv
# -r: enable NBT-NS/NBNS poisoning
# -d: enable DHCP poisoning
# -w: start WPAD rogue proxy server
# -v: verbose

# Captured hashes appear in:
cat /opt/Responder/logs/SMB-NTLMv2-SSP-10.0.0.50.txt
# Output: jsmith::CORP:1122334455667788:aabbcc....<truncated>

# Crack with hashcat:
hashcat -m 5600 SMB-NTLMv2-SSP-10.0.0.50.txt rockyou.txt
# -m 5600: NetNTLMv2 hash mode

NTLM relay (no cracking needed: relay directly to another target):

# Instead of cracking, relay captured NTLM auth to a target SMB server
# Run ntlmrelayx alongside Responder (with SMB disabled in Responder to avoid interception)
python3 ntlmrelayx.py -tf targets.txt -smb2support
# If the captured hash belongs to a local admin on targets.txt servers,
# ntlmrelayx authenticates as that user to those servers: no password needed

Prevention: Disable LLMNR and NBNS via GPO

Disable LLMNR (highest priority: modern networks do not need this protocol):

GPO path:
Computer Configuration > Administrative Templates > Network > DNS Client >
"Turn off multicast name resolution"
Setting: Enabled

# This disables LLMNR on all domain machines the GPO applies to
# Verify: run Wireshark on the network and check for LLMNR queries on port 5355

Disable NBNS (NetBIOS Name Service):

NBNS cannot be disabled via a simple GPO setting: it requires either a DHCP option or registry key pushed via GPO startup script.

# GPO Startup Script to disable NetBIOS over TCP/IP on all adapters:
# Create a script: Disable-NetBIOS.ps1

$NICs = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled }
foreach ($NIC in $NICs) {
    # 2 = Disable NetBIOS over TCP/IP
    $NIC.SetTcbpNetbios(2)
}

# Link to GPO:
# Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) >
# Startup > Add > Disable-NetBIOS.ps1

# Or via DHCP option 001 in the Windows DHCP server:
# Set scope option 001 (Microsoft Disable Netbios Option) to 0x2 (disable)
# This works for all DHCP clients without requiring a GPO script

Verify LLMNR is disabled:

# On a target machine after GPO applies:
# Attempt an LLMNR query for a non-existent host
Resolve-DnsName nonexistenthost1234 -ErrorAction SilentlyContinue
# Should fail immediately (no broadcast fallback)

# Capture traffic on the segment to verify no LLMNR traffic:
# sudo tcpdump -i eth0 udp port 5355
# Should show no traffic after the GPO applies

# Check current LLMNR status:
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" `
  -Name "EnableMulticast" -ErrorAction SilentlyContinue
# 0 = LLMNR disabled
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Detection: Finding Responder Activity

Network-level detection: spurious LLMNR responses:

Legitimate LLMNR does not generate many responses: only the actual host that has the name responds. A Responder instance generates a response to every LLMNR query it sees, generating anomalous response volumes.

# Zeek signature for LLMNR poisoning
# Detect: a host responding to LLMNR queries for names it cannot own
# Key indicator: same source IP responding to LLMNR queries for many different hostnames

# In Zeek dns.log, filter for responses (qtype answers ≠ NXDOMAIN)
# from the same IP for many different hostnames in a short window:
zeek-cut ts id.orig_h id.resp_h query qtype rcode < dns.log | \
  awk '$6 == "0" && $5 == "1"' | \
  awk '{print $2}' | \
  sort | uniq -c | sort -rn | head -10
# Any IP responding to a large number of LLMNR queries is Responder-like behavior

Microsoft Sentinel KQL: detect Responder NTLM capture attempts:

// Alert: NTLM authentication attempts to hosts not in your known server list
// Responder captures auth by pretending to be legitimate servers
SecurityEvent
| where EventID == 4776  // NTLM credential validation
| where TimeGenerated > ago(1h)
// Workstation in 4776 is the machine the user tried to authenticate to
// If that workstation is not a legitimate server, it may be Responder
| where Workstation !in (known_servers)  // Define your server list
| summarize
    FailedAuthCount = count(),
    Accounts = make_set(TargetUserName)
    by Workstation, IpAddress
| where FailedAuthCount > 5
| sort by FailedAuthCount desc

// Or detect: Event 4625 (failed logon) from the Responder machine
// Users attempting to connect to non-existent server get auth failure
SecurityEvent
| where EventID == 4625
| where LogonType == 3  // Network logon
| summarize
    FailCount = count(),
    SourceIPs = make_set(IpAddress),
    TargetAccounts = make_set(TargetUserName)
    by WorkstationName, bin(TimeGenerated, 5m)
| where FailCount > 10

Honey credential detection (active deception):

Deploy a monitoring account in AD whose password you broadcast as a fake service credential. If Responder captures it and an attacker tries to use it:

# Create a monitoring account that should NEVER have valid logons
New-ADUser -Name "svc-backup-monitor" -SamAccountName "svc-backup-monitor" \
  -Enabled $true -AccountPassword (ConvertTo-SecureString "R@nd0mP@ss!" -AsPlainText -Force)

# Create an Azure AD monitoring alert:
# Any 4624 (successful logon) or 4625 (failed logon) from svc-backup-monitor
# is suspicious: this account should never log in

# Alert in Sentinel:
SecurityEvent
| where EventID in (4624, 4625, 4648)
| where TargetUserName == "svc-backup-monitor"
| project TimeGenerated, EventID, IpAddress, LogonType, AuthenticationPackageName
// Any activity on this account = Responder captured the credential

Additional Mitigations

Enable SMB signing (prevents NTLM relay attacks):

GPO path:
Computer Configuration > Windows Settings > Security Settings >
Local Policies > Security Options >
"Microsoft network server: Digitally sign communications (always)": Enabled
"Microsoft network client: Digitally sign communications (always)": Enabled

# SMB signing prevents ntlmrelayx from relaying captured credentials
# to SMB targets: the relay attempt fails signature verification
# Note: SMB signing has performance overhead on high-throughput file servers

Enable Extended Protection for Authentication (EPA) on IIS:

# EPA prevents NTLM relay attacks targeting web services
# Enable in IIS Manager: Authentication > Windows Authentication > Advanced Settings
# Extended Protection: Required

# Or via PowerShell:
Import-Module WebAdministration
Set-WebConfigurationProperty -Filter \
  "system.webServer/security/authentication/windowsAuthentication" `
  -PSPath "IIS:\Sites\Default Web Site" `
  -Name "extendedProtection.tokenChecking" `
  -Value "Require"

Block unnecessary outbound SMB (445/TCP) at the perimeter:

NTLM relay attacks that target external infrastructure require outbound 445. Block this at the firewall: internal SMB traffic stays on the LAN while external relay attempts are stopped.

Network segmentation to limit blast radius:

LLMNR and NBNS are layer-2 broadcast protocols: they only reach hosts on the same network segment. VLANs that separate workstations, servers, and management traffic naturally limit Responder to a single segment. An attacker who has compromised a workstation can only poison LLMNR for other workstations on the same VLAN: not for server VLANs.

The bottom line

LLMNR/NBNS poisoning requires zero exploitation: Responder simply answers broadcast name queries before the legitimate host can. Prevent it by disabling LLMNR via GPO (Computer Configuration > Administrative Templates > Network > DNS Client > Turn off multicast name resolution: Enabled) and disabling NBNS via DHCP option 001 or GPO startup script. Enable SMB signing to prevent captured NTLMv2 hashes from being relayed without cracking. Detect it by monitoring Event 4776 (NTLM auth) for authentication attempts to non-existent or unexpected hosts, and deploy honey credentials that alert immediately when used.

Frequently asked questions

How do you prevent LLMNR and NBNS poisoning attacks?

Disable LLMNR via GPO: Computer Configuration > Administrative Templates > Network > DNS Client > "Turn off multicast name resolution" = Enabled. Disable NBNS via DHCP scope option 001 (set to 0x2) or a GPO startup script that calls SetTcbpNetbios(2) on each NIC. Enable SMB signing to prevent captured NTLMv2 hashes from being relayed. VLAN segmentation limits poisoning to a single network segment even if one workstation is compromised.

How do you detect Responder running on your network?

Monitor for NTLM authentication attempts (Event 4776) to hosts not in your known server list: Responder impersonates legitimate hosts, causing Windows to send NTLM auth to the attacker's machine. Deploy honey credentials (an AD account that should never log in): any logon event on that account indicates the credential was captured and an attacker attempted to use it. Network-level detection: Zeek dns.log showing the same source IP responding to LLMNR queries for many different hostnames in a short window.

What is LLMNR poisoning and why is it dangerous?

LLMNR (Link-Local Multicast Name Resolution) is a protocol that broadcasts name resolution requests on the local network when DNS fails to resolve a hostname. When a Windows machine broadcasts 'who is \\FILESERVE (typo of \\FILESERVER)?', any attacker running Responder on the same network segment responds 'I am — send me your credentials'. The victim's machine sends an NTLM hash for authentication, which Responder captures. The attacker can then crack the hash offline or relay it to other systems. LLMNR has no authentication: any host can answer any query. The attack requires no exploitation, no credentials, and no elevated access — just network access to the same broadcast domain.

How do you disable LLMNR and NBT-NS via Group Policy?

Disable LLMNR: Group Policy > Computer Configuration > Admin Templates > Network > DNS Client > Turn Off Multicast Name Resolution > Enabled. Disable NBT-NS (NetBIOS over TCP/IP): this cannot be disabled via standard Group Policy directly; use a Group Policy Preference logon script that runs: 'wmic nicconfig where TcpipNetbiosOptions=0 call SetTcpipNetbios 2' (sets all NICs to disable NetBIOS), or configure it via DHCP option 001 (disable NetBIOS via DHCP server), or apply a registry GPP setting to HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\* with NetbiosOptions DWORD value 2. After disabling, test that no critical applications rely on NetBIOS name resolution.

What is NTLM relay and how does it differ from LLMNR poisoning?

LLMNR poisoning captures NTLM hashes that are then cracked offline. NTLM relay (using tools like Responder with ntlmrelayx.py or impacket's ntlmrelayx) takes a captured NTLM authentication and immediately relays it to another target server — authenticating as the victim without cracking the hash at all. This works because NTLM challenge-response can be proxied: the relay tool responds to the victim's authentication challenge with challenges from a target server, then forwards the victim's responses. If SMB signing is not enforced on target servers (common in Windows environments), NTLM relay can achieve code execution or file access. Enforce SMB signing via Group Policy (Network security: LAN Manager authentication level, and Microsoft network server: Digitally sign communications always) to block relay attacks.

How do you verify that LLMNR and NBNS are disabled across a Windows fleet and confirm no residual broadcast traffic exists?

Verify GPO application on a sample of machines by running 'Get-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -Name EnableMulticast' and confirming the value is 0. For NBNS, verify per-NIC by running 'Get-WmiObject Win32_NetworkAdapterConfiguration | Select-Object Description, TcpipNetbiosOptions' and confirming TcpipNetbiosOptions = 2 (disabled) on all relevant interfaces. Network-level verification: run Wireshark or tcpdump on a monitored network tap filtering 'udp port 5355 or udp port 137' for 30 minutes during business hours -- any traffic on these ports indicates a machine that has not received or applied the policy. In large environments, collect the EnableMulticast registry value via Velociraptor Hunt or Intune device query across all managed endpoints and alert on any machine returning a value other than 0.

Sources & references

  1. MITRE ATT&CK T1557.001: LLMNR/NBT-NS Poisoning
  2. Laurent Gaffie: Responder GitHub
  3. Microsoft: Disable LLMNR in Enterprise

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.