Silent Interception: Exploiting LLMNR, NBT-NS, mDNS and IPv6 in Modern Networks

Last updated on Apr 10, 2025
Silent Interception: Exploiting LLMNR, NBT-NS, mDNS and IPv6 in Modern Networks

In many internal networks, outdated or misconfigured protocols silently create attack surfaces. This post explores how attackers abuse name resolution fallbacks and IPv6 autoconfiguration to capture and relay NTLM credentials using Responder and mitm6.

Name Resolution Chaos

When Windows can’t resolve a hostname via DNS, it falls back on legacy protocols: LLMNR (Link-Local Multicast Name Resolution), NBT-NS (NetBIOS Name Service), and increasingly mDNS in mixed environments. These protocols ask anyone nearby: “Do you know who somehost is?”

An attacker on the local network can answer “yes” and claim to be that host. That’s exactly what Responder does. It listens for these requests and pretends to be the missing server, prompting clients to authenticate, typically using NTLM.

IPv6: Enabled by Default, Forgotten by Admins

Even in IPv4-only networks, most Windows clients have IPv6 enabled. If there’s no DHCPv6 server, they use router advertisements to configure themselves. mitm6 abuses this by spoofing a rogue IPv6 router, setting itself as the DNS server for all hosts.

Once clients start resolving names through the attacker’s DNS, the attacker can spoof responses and trick clients into connecting over SMB, LDAPS, or HTTP, exposing NTLM hashes.

Capturing vs. Relaying

Responder captures credentials (NTLMv1/v2), which can be cracked offline with tools like hashcat. But it’s often more powerful to relay them live to a legitimate service.

Tools like ntlmrelayx allow relaying to:

  • SMB: for file access, command execution, or dumping secrets via secretsdump.py
  • LDAP/LDAPS: to enumerate AD users, modify objects, or create backdoor accounts
  • HTTP/WSMAN: to access internal web apps or trigger remote code execution

The success of the relay depends on the target’s configuration. If SMB signing or LDAP channel binding is enforced, the relay will fail. But in many networks, it isn’t.

Realistic Attack Chain

  1. Launch mitm6 to poison IPv6 and become DNS for the subnet.
  2. Run ntlmrelayx with appropriate targets (e.g., --smb2support --target smb://10.0.0.5).
  3. Wait: a victim resolves an internal name (e.g., fileshare), the attacker responds.
  4. The client connects to the attacker thinking it’s the fileshare and sends NTLM credentials.
  5. ntlmrelayx relays these to the actual target server.
  6. If successful, the attacker gains authenticated access.

In parallel, Responder can be used for LLMNR/NBT-NS-based interception in IPv4 networks.

Mitigation

This isn’t new, but it’s often neglected. To prevent these attacks:

  • Disable LLMNR and NBT-NS via Group Policy.
  • Disable IPv6 on clients if it’s not explicitly required.
  • Enforce SMB signing and LDAP channel binding.
  • Segment your network to reduce the blast radius.
  • Prefer Kerberos authentication over NTLM where possible.
  • Monitor for rogue IPv6 RAs and anomalous name resolution.

Final Thoughts

If you’re in a flat network with legacy protocols enabled, an attacker doesn’t need exploits, just presence. These are silent, no-packet attacks that rely on trust and misconfiguration. The tools are public. The fixes are known. Yet the exposure is still widespread.

Responder and mitm6 aren’t magic. They just reveal what’s already broken.