LLMNR
LMNR (Link-Local Multicast Name Resolution) is a protocol used to resolve machine names to IP addresses within a local subnet when DNS is unavailable.
What This Plugin Does
The LLMNR plugin monitors for signs of LLMNR poisoning, a common attack technique:
- When a device cannot resolve a hostname via DNS, it sends an LLMNR request.
- An attacker using a tool like Responder can reply with a forged response, claiming to be the requested machine.
- Because LLMNR responses are not verified, the attacker can:
- Capture credentials sent by the victim
- Launch a Man-In-The-Middle (MITM) attack By detecting these responses, Trapster alerts you to potential LLMNR-based attacks before sensitive data is compromised.
How It Works with Trapster
Trapster periodically sends LLMNR requests for non-existent machines. Since no legitimate device should respond, any reply is suspicious.
Detected responses are:
- Recorded
- Flagged as a potential attack
- Sent to your Dashboard for review
Note: This process is safe and does not impact your network, as the requests are for fictitious hosts.
Important
Use this plugin only on Windows-emulating Trapsters, as LLMNR is a Windows-specific protocol.
Read more about Plugins here :