A new cybersecurity study has found that legacy Windows communication protocols continue to expose organizations to credential theft, even without exploiting software vulnerabilities.
The research, published today by Resecurity, warned that attackers can capture login data simply by being on the same local network as their targets.
Legacy Features Still in Use
Link-Local Multicast Name Resolution (LLMNR) and its predecessor, NetBIOS Name Service (NBT-NS), were designed to help Windows systems find other devices when DNS lookups fail. However, these protocols trust any device that responds to their requests – an oversight that allows attackers to impersonate legitimate systems.
By using tools such as Responder, a hacker can intercept these broadcasts and trick a victim machine into sending authentication data. The attacker then captures information including usernames, domain details and encrypted password hashes.
“This attack does not rely on exploiting a software vulnerability,” the study said.
“It takes advantage of default Windows behavior and only requires the attacker to be present on the same local network segment as the victim.”
Read more on authentication risks: Identity Risk Management: Locking Down Ephemeral Accounts
Growing Concern For Organizations
Once stolen, the captured data can be cracked offline or reused in what’s known as a relay attack. This can provide direct access to corporate databases, file servers or administrative systems. In some cases, attackers may obtain passwords in cleartext, gaining immediate entry to sensitive data.
Researchers warned that the consequences extend well beyond a single compromised device. Once attackers obtain valid credentials, they can move laterally across the network, accessing additional systems and resources.
From there, they may escalate privileges by targeting high-value accounts such as administrators or service users, gaining broader control over the environment.
This kind of access can lead to widespread data exposure, unauthorized changes to systems and even the disruption of critical business services or operational downtime. In large organizations, the impact can ripple across departments, making containment and recovery more complex.
Recommended Fixes
The study outlined several ways to mitigate the risk. Organizations are urged to:
-
Disable LLMNR and NBT-NS through Group Policy
-
Block UDP port 5355 to prevent multicast queries
-
Enforce SMB signing and reduce NTLM authentication
-
Maintain accurate DNS configurations to avoid fallback lookups
Security teams are also encouraged to monitor for unusual traffic on these protocols, which may indicate active exploitation attempts.
According to the report, LLMNR and NBT-NS poisoning remains one of the most common (and preventable) network attacks.
“The most effective defense is to eliminate reliance on these legacy protocols by disabling LLMNR and NBT-NS, enforcing secure authentication methods such as Kerberos and ensuring DNS infrastructure is properly configured,” Resecurity said.
“Combined with network monitoring and credential-hardening practices, these measures significantly reduce the risk of credential theft through broadcast poisoning attacks.”
