Link-Local Multicast Name Resolution (LLMNR) Detection

 Nessus Output

Synopsis :

The remote device supports LLMNR.

Description :

The remote device answered to a Link-local Multicast Name Resolution
(LLMNR) request. This protocol provides a name lookup service similar
to NetBIOS or DNS. It is enabled by default on modern Windows

Reported Risk factor by Nessus: None
In my option the severity should be much higher.

The Nessus plugin can detect the LLMNR service with an uncredentialed scan.


Nmap can also detect a running LLMNR service on a named host.

nmap --script llmnr-resolve --script-args 'llmnr-resolve.hostname=ace'
Starting Nmap 7.31 ( ) at 2016-12-09 11:42 CET
Pre-scan script results:
| llmnr-resolve: 
| ACE :
|_ Use the newtargets script-arg to add the results as targets
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 3.42 seconds



Metasploit can also be used to run the query for a named host.
Module: aixiliary/scanner/llmnr/query

msf auxiliary(query) > show info
Name: LLMNR Query
 Module: auxiliary/scanner/llmnr/query
 License: Metasploit Framework License (BSD)
 Rank: Normal
Provided by:
 Jon Hart <>
Basic options:
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 BATCHSIZE 256 yes The number of hosts to probe in each set
 CLASS IN yes The query class (name, # or CLASS#)
 NAME ace yes The name to query
 RHOSTS yes The multicast address or CIDR range of targets to query
 RPORT 5355 yes The target port
 THREADS 10 yes The number of concurrent threads
 TYPE A yes The query type (name, # or TYPE#)
 This module sends LLMNR queries, which are really just normal UDP 
 DNS queries done (usually) over multicast on a different port, 5355. 
 Targets other than the default RHOSTS' should not 
 respond but may anyway.
msf auxiliary(query) > run
[*] Sending LLMNR A/IN queries for ace to> port 5355 (1 hosts)
[+] responded with ACE: (A
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


 What is LLMNR?

How to get Windows to give you credentials through LLMNR?

Exploit tools

  • Responder (python)
  • Inveigh (powershell)
  • Metasploit modules
    • auxiliary/spoof/llmnr/llmnr_response
    • auxiliary/spoof/nbns/nbns_response
    • auxiliary/server/capture/smb
    • auxiliary/server/capture/http_ntlm

How to harden your windows box

Configure the flowing policy setting:
Computer Configuration -> Administrative Templates -> Network -> DNS Client
Set “Turn Off Multicast Name Resolution” to Enabled

This policy setting will set the following registry key:

This can also be done with the LGPO tool.

Create the following text file: dnsclient_lgpo.txt

Software\Policies\Microsoft\Windows NT\DNSClient

Convert LGPO textfile to create policy file

.\LGPO.exe /r .\dnsclient_lgpo.txt /w dnsclient_llmnr.pol

Import policy command

.\LGPO.exe /m .\dnsclient_llmnr.pol