Solving Game of Active Directory (GOAD) by Orange Cyberdefense Part-2

n00🔑
3 min readOct 22, 2023

LLMNR and NBT-NS Poisoning

LLMNR (Link-Local Multicast Name Resolution) poisoning, also known as NBT-NS (NetBIOS Name Service) poisoning, is a network attack that involves the manipulation or interception of DNS-like name resolution requests within a local network. This attack targets the way Windows devices attempt to resolve hostnames to IP addresses when DNS name resolution fails. LLMNR and NBT-NS are used as fallback methods for hostname resolution, primarily in Windows environments.

Here’s an overview of LLMNR poisoning:

How LLMNR Works:

When a Windows system attempts to resolve a hostname to an IP address and standard DNS resolution fails, it may use LLMNR and NBT-NS as fallback mechanisms.
LLMNR uses multicast messages to query other devices on the local network for the hostname’s IP address.
NBT-NS works similarly but uses NetBIOS broadcasts to resolve hostnames.
LLMNR Poisoning:

LLMNR poisoning is a type of man-in-the-middle (MITM) attack where an attacker intercepts LLMNR and NBT-NS requests on the local network.
The attacker responds to these requests with spoofed responses, claiming to be the target device with the requested hostname.
This can redirect network traffic to the attacker’s system, potentially allowing for eavesdropping or other malicious activities.

--

--