Skip to content

LLMNR Detection Enterprise

Link-Local Multicast Name Resolution (LLMNR) is a Windows name-resolution protocol used when DNS fails. Attackers abuse it for LLMNR poisoning (also called LLMNR spoofing): they respond to broadcast queries on the local segment and capture NTLM hashes or redirect victims to malicious hosts.

The LLMNR plugin makes the Trapster participate in LLMNR on the network: it broadcasts LLMNR packets and responds to LLMNR name resolution requests. That surfaces poisoning attempts and suspicious resolution activity directed at or involving the honeypot.

When to use it

Enable LLMNR detection on Trapsters that present as Windows machines on your internal network (default Windows Server template, domain-joined identity, SMB/RDP services). It fits user VLANs and server segments where real Windows hosts use LLMNR.

Configuration

  1. Open Trapsters and select a device
  2. Go to the Settings tab
  3. Enable LLMNR detection (MiTM attacks) under Plugins

What it detects

SignalTypical meaning
LLMNR query or response involving the TrapsterReconnaissance or poisoning activity on the local segment
Interaction with the Trapster as an LLMNR responderAn attacker or tool treating the honeypot as a resolution target

Incidents are raised on the Incidents page and follow your normal alerting configuration.

Pair LLMNR detection with SMB or RDP services on the same Trapster for a convincing Windows footprint.