NBNS/LLMNR

Last updated 9 months ago

NBNS/LLMNR

Both NetBIOS Name Server and Local-Link Multicast Name Resolution ( and ) are protocols that a Windows computer uses to look for a host on the internal network when a host’s IP address cannot be resolved through the organizational DNS (Domain Name Server) server. This can be anything from a file server your machine is trying to map, to a web portal you are trying to access, to even background processes looking for things like a proxy server. When a Windows computer attempts to connect to another machine over the network, it follows this basic process:

It checks the local host file. Any machine you have recently talked to is stored in the local host file. This makes it much faster as no network requests have to be made.
If the host isn’t in your local host file, your computer will then query DNS, which is essentially the phone book of your network. It contains all the systems and their addresses on the network.
If for some reason DNS doesn’t know where that host is, your computer will send out a NBNS and/or LLMNR request. This request gets broadcast (or sent to every computer) on the local subnet. Most requests will not reach this point, especially if your DNS is up to date. However, if you mistype the name of a server, or if the server doesn’t exist (like a proxy server if your organization doesn’t use one), these requests will be abundant.

NBNS and LLMNR Spoofing

An NBNS and LLMNR Spoofing attack takes advantage of these requests. When these requests are seen on the local subnet, the attacker will respond to them and say, “I know where that server is, in fact, I am that server.” This allows the attacker to capture whatever traffic comes next. Most of the time, this is benign traffic that the attacker can’t do much with. But in the case of a file server, like the example above shows, you have to prove you are allowed to access the file you are trying to open. To do this, the server will send a challenge and the host trying to connect will take that challenge and calculate a new response that combines that challenge with your password. This value will be hashed, but what this allows the attacker to do is take that password offline and crack it. Being able to take a password offline to crack it means they are not limited by the speed of the network, account lockouts, or the potential to be detected. Once the attacker cracks that user’s password, they can gain access to any system they have permissions on.

PreviousResponder Nextmitm6

Last updated 9 months ago

It checks the local host file. Any machine you have recently talked to is stored in the local host file. This makes it much faster as no network requests have to be made.
If the host isn’t in your local host file, your computer will then query DNS, which is essentially the phone book of your network. It contains all the systems and their addresses on the network.
If for some reason DNS doesn’t know where that host is, your computer will send out a NBNS and/or LLMNR request. This request gets broadcast (or sent to every computer) on the local subnet. Most requests will not reach this point, especially if your DNS is up to date. However, if you mistype the name of a server, or if the server doesn’t exist (like a proxy server if your organization doesn’t use one), these requests will be abundant.