Skip to content
PortsDB

Port reference

Port 5355 (UDP) – LLMNR

LLMNR — a Windows fallback name-resolution protocol used when DNS fails on the local link.

udpRegisteredCommonly attacked

Default state

Enabled by default on Windows clients. Listens on UDP 5355 and responds to multicast name queries, making it ideal for poisoning.

Common attacks

  • LLMNR/NBT-NS poisoning with Responder to capture NTLM hashes
  • Offline cracking of captured NetNTLMv1/v2 challenge-responses
  • NTLM relay of poisoned authentication to SMB or LDAP
  • Man-in-the-middle of mistyped or failed hostname lookups

Hardening

  • Disable LLMNR via Group Policy (Turn off multicast name resolution)
  • Disable NetBIOS over TCP/IP (NBT-NS) on all interfaces
  • Ensure DNS is correctly configured so fallback is never needed
  • Enforce SMB signing and LDAP signing to break relay
  • Alert on rogue LLMNR responders and Responder-style activity

nmap snippet

nmap -sU -p5355 --script llmnr-resolve <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5355?

Port 5355 carries LLMNR (Link-Local Multicast Name Resolution), a Windows fallback protocol used when normal DNS resolution fails. When a host cannot resolve a name — often a typo or a stale share path — Windows broadcasts a multicast query on UDP 5355 asking the local link "who is this name?" Any machine on the segment may answer. LLMNR sits alongside the older NBT-NS on port 137, and both are enabled by default on Windows.

Why it matters for security

LLMNR's trust-the-loudest-responder design is one of the most exploited weaknesses in Active Directory networks. Because the protocol accepts an answer from any host, an attacker simply replies to failed lookups and lures the victim into authenticating to the attacker. That authentication carries the victim's NTLM challenge-response, which can be cracked offline to recover the password or relayed to gain access — all without exploiting a single software bug.

How it's attacked

The classic tool is Responder: it listens for LLMNR and NBT-NS queries, answers every one, and harvests the resulting NetNTLMv1/v2 hashes when victims connect. Captured hashes are cracked offline or relayed straight to SMB or LDAP for lateral movement and privilege escalation. The attack is passive, reliable, and needs no credentials to start.

Hardening checklist

Disable LLMNR through Group Policy ("Turn off multicast name resolution") and disable NetBIOS over TCP/IP (NBT-NS) on every interface — together they remove the poisoning surface. Make sure DNS is correctly configured so fallback is never triggered. Enforce SMB and LDAP signing so any authentication that is captured cannot be relayed, and alert on rogue responders. The nmap script above tests LLMNR resolution on hosts you are authorised to test. </content>

Related ports

Port 137Port 138Port 139Port 445Port 389

Frequently asked questions

What is port 5355 used for?
Port 5355 is LLMNR, a Windows fallback that resolves hostnames by multicast when DNS has no answer. It lets nearby hosts reply with the address for a requested name.
Why should I disable LLMNR?
Because any host can answer an LLMNR query, an attacker running Responder claims to be the requested name, captures the victim's NTLM hash, and cracks or relays it. Disabling LLMNR removes the vector.