What technique does a penetration tester use to intercept and poison LLMNR and NBT-NS requests?

The technique of utilizing Responder for on-path attacks is particularly effective for intercepting and poisoning LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) requests. Responder is a tool that listens for these types of broadcast name resolution requests sent by Windows systems when they are attempting to resolve the names of other devices on the network. When a client sends out a request, Responder can respond with false information, effectively "poisoning" the request. This allows the penetration tester to capture sensitive information, such as NTLMv2 hashes or other credentials, which would not be possible without such an interception technique.

The focus of Responder is its ability to exploit the weaknesses in these specific protocols by acting as a rogue name server, thus facilitating on-path attacks where the tester can manipulate traffic and deceive the network clients into communicating with a malicious service. This makes it a powerful tool in a penetration tester's arsenal when examining enterprise-level environments where LLMNR and NBT-NS are actively used for name resolution.