LLMNR/NBT-NS Poisoning and Relay (T1171)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • LLMNR/NBT-NS Poisoning and Relay

Associated Tactics

  • Credential Access

Credential Access (TA0006)

The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

View on ATT&CK

Procedure Examples

Description Source(s)
Wikipedia. (2016, July 7). Link-Local Multicast Name Resolution. Retrieved November 17, 2017. Wikipedia LLMNR
Microsoft. (n.d.). NetBIOS Name Resolution. Retrieved November 17, 2017. TechNet NetBIOS
Salvati, M. (2017, June 2). Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes). Retrieved February 7, 2019. byt3bl33d3r NTLM Relaying
Kuehn, E. (2018, April 11). Ever Run a Relay? Why SMB Relays Should Be On Your Mind. Retrieved February 7, 2019. Secure Ideas SMB Relay
Nomex. (2014, February 7). NBNSpoof. Retrieved November 17, 2017. GitHub NBNSpoof
Francois, R. (n.d.). LLMNR Spoofer. Retrieved November 17, 2017. Rapid7 LLMNR Spoofer
Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017. GitHub Responder
Sternstein, J. (2013, November). Local Network Attacks: LLMNR and NBT-NS Poisoning. Retrieved November 17, 2017. Sternsecurity LLMNR-NBTNS
Robertson, K. (2016, August 28). Conveigh. Retrieved November 17, 2017. GitHub Conveigh