Service:
Protocol:
UDPPort:
5355Used for:
Port 5355 (UDP) is used by LLMNR to resolve hostnames on local networks when DNS fails, allowing devices to multicast name resolution queries.Why It’s Open
Port 5355 is used by the LLMNR protocol, which stands for Link-Local Multicast Name Resolution. LLMNR allows systems on the same local network segment to resolve hostnames when traditional DNS fails — for example, when a device tries to reach another by hostname but doesn’t get a response from the DNS server. The request is then multicast to the address 224.0.0.252 on port 5355. It’s most commonly enabled by default on Windows systems (especially pre-Windows 10 v1709), but it’s also supported in some Linux and embedded systems.
LLMNR was designed for convenience in unmanaged or small networks, but in enterprise environments, it’s largely unnecessary and often becomes a liability. Because it doesn’t require a DNS server, any device on the same subnet can respond — which opens the door for abuse.
Common Risks
- NBNS/LLMNR Poisoning (MITM)
Attackers on the same network can respond to LLMNR queries with spoofed answers, redirecting victims to malicious services or capturing hashes. - Credential Theft via Responder or Inveigh
Tools like Responder or Inveigh can exploit LLMNR to capture NTLMv2 challenge/response hashes for offline cracking or relay attacks. - Internal Reconnaissance
LLMNR broadcasts leak hostnames that may not be visible via DNS, helping attackers map the network. - Legacy Protocol Dependence
Continued reliance on LLMNR often signals poor internal name resolution hygiene and opens unnecessary attack surfaces.
Want to save time on reporting?
Let PentestPad generate, track, and export your reports - automatically.
Enumeration & Testing
Check if it’s open
nmap -sU -p 5355Sniff LLMNR requests on the network:
tcpdump -i port 5355Run Responder to test poisoning susceptibility:
sudo responder -I -wrfWhat to Look For
| Checkpoint | What it means |
|---|---|
| Port 5355 open on workstations | LLMNR is enabled by default — should be disabled |
| Hostnames visible in queries | Potential info leak aiding internal recon |
| Responding to LLMNR queries | Indicates device could be misused for spoofing |
| NTLM hashes captured by tools | System vulnerable to relay or cracking attacks |
Mitigation
- Disable LLMNR via Group Policy or local settings
Group Policy path: Computer Configuration > Administrative Templates > Network > DNS Client > Turn off Multicast Name Resolution - Disable NBNS/NetBIOS over TCP/IP
LLMNR is often exploited alongside NetBIOS — disable both if not needed. - Use Secure Name Resolution (DNSSEC, Host Files)
Rely on properly maintained internal DNS infrastructure. - Segment Workstations from Servers
Prevent attackers from leveraging lateral movement via poisoned resolution. - Monitor for Responder Tools
Look for tools like Responder, Inveigh, or unusual LLMNR traffic in endpoint/network monitoring.
Known CVEs and Exploits
- CVE-2013-4786 – LLMNR spoofing vulnerability in Windows allowing information disclosure.
- CVE-2015-0016 – LLMNR spoofing leads to NTLMv2 hash leakage via crafted SMB response.
- Responder Tool (PoC/Exploit) – Popular tool used for LLMNR, NBT-NS, and WPAD poisoning.
- Inveigh (PowerShell-based MITM Tool) – LLMNR/NetBIOS name service attack and NTLM relay tool.