H3-2021-0034

LLMNR Poisoning Possible

Category	SECURITY_MISCONFIGURATION
Base Score	7.0

Description

Link-Local Multicast Name Resolution (LLMNR) is one of two components of Microsoft Windows machines that server as alternate methods of host identification. An attacker can spoof a reply as an authoritative source to a victim request and capture the credential information passed over the network. Credential information can be captured in hashed or plaintext format.

Impact

A captured hash credential can be cracked offline to discover the plaintext password for reuse on other systems or the hash can be relayed and used to access other systems as well. Likewise, a captured plaintext credential can be immediately used to access other systems.

References

• T1171 - LLMNR/NBT-NS Poisoning and Relay
• Local Network Vulnerabilities - LLMNR and NTB-NS Poisoning
• LLMNR and NBT-NS Mitigation