Local name resolution poisoning attacks are almost as old as Active Directory itself – and yet, the magic of Windows environments retro-compatibility makes them still effective in 2025.

One of the very first offensive actions carried out by an attacker with access to an internal network is to attempt exploiting the LLMNR, mDNS or NBNS protocols that are even today enabled by default, in order to gain an authenticated foothold into the Active Directory infrastructure.

To the pentesters thinking that local name resolution attacks are well-known exploit primitives that do not have any more surprises in store for us – this presentation is here to prove you wrong. We will dive into two new techniques recently introduced that enhance the NTLM and Kerberos relaying capabilities of local name resolution poisoning, and their implementation in open-source tools such as Responder and krbrelayx.

Discover how to trick Windows SMB clients into falling back to WebDav HTTP authentication that do not implement signing, or how to perform Kerberos relaying through LLMNR, all illustrated by concrete exploit demonstrations!