NetBIOS over TCP and LLMNR

LLMNR or Link-Local Multicast Name Resolution is a protocol used by IPv6 and IPv4 clients to know the names of neighboring systems without having to use DNS Server. It was introduced in Windows Vista and is used by versions after that. So, if DNS is unavailable this protocol kicks in.

NetBIOS over TCP/IP is a follow-up protocol of LLMNR, and it is used to publish on the LAN and look for resources. If you want to know more about this protocol, open Command Prompt as an administrator and type the following command.


This will display protocol statistics and current TCP/IP connection using NetBIOS over TCP/IP.

LLMNR & NetBios poisoning is often used in credential harvesting attacks with a popular tool called Responder

To disable LLMNR through Group Policy:

Computer Configuration > Administrative Templates > Network > DNS client and enable “Turn off multicast name resolution”.