Last updated: April 29, 2026
The protocols that make networks work — ARP, DHCP, DNS, LLMNR, NBT-NS, mDNS — were all designed with zero authentication. They worked in the original LAN era because the LAN was a single trusted segment. In 2026, these protocols are still deployed at scale, still unauthenticated, and attackers still farm them for credentials daily. This module covers why Layer 2/3 protocols remain catastrophic trust points.
Why this happens
ARP (1982), DHCP (1993), DNS (1987), LLMNR (2007) — the dates tell the story. Designed before network-scale threat models existed. Designed when “the network” meant “the cable in the office.” Signed/authenticated versions exist (DNSSEC, DHCPv6 with authentication, 802.1X) but deployment is uneven. Microsoft Active Directory still uses LLMNR and NBT-NS by default on domain-joined workstations in 2026 despite Microsoft’s own published guidance recommending disabling them.
The attacker’s position: on the local segment (after phishing or Wi-Fi compromise), inject responses to these unauthenticated protocols. Victim workstations accept the injected responses as truth. Credentials, session info, and lateral movement opportunities follow.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.