LLMNR and NBT-NS Attack

LLMNR and NBT-NS Attack

October 30, 2021 Active Directory AD Security 0

LLMNR (Link-Local Multicast Name Resolution) is a protocol that is based upon the Domain Name System (DNS). It is often used by network-connected systems to identify hosts on the local-subnet when DNS fails, is not present or where peer-to-peer name-resolutions services are required.

NBT-NS (NetBIOS Name Service) is a protocol to LLMNR and operates similarly to ARP (Address Resolution Protocol) broadcasts.

NBT-NS, LLMNR and mDNS broadcast a query to the entire network (Intranet), but no measures are taken to verify the integrity of the responses. Attackers can exploit this mechanism by listening to such queries and spoofing responses to the victim and trusting malicious servers. Usually this trust will be used to steal credentials.

How to Disable LLMNR?

Create a New Group Policy & Edit
Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client >
Enable the “Turn Off Multicast Name Resolution

or via Registry

HKLM\Software\Policies\Microsoft\Windows NT\DNSClient
DWORD of ‘EnableMulticast‘ and set the value to ‘0′

How to Disable NBT-NS?

Open Control Panel > Network and Sharing Center >  Change Adapter Settings >  Properties of active Connections > Internet Protocol Version 4  (TCP/IPv4) > Properties > General > Advanced > WINS, then
Select ‘Disable NetBIOS over TCP/IP’

Registry script via Group Policy for org level changes, Below settings would required each interfaces which are in used,

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\
DWORD ‘NetbiosOptions’  Set the value of ‘2

Also, NetBIOS can able to disable via DHCP Server to the clients,
DHCP Manager > Scope Option > Right Click “Configure Options” > Select “Advanced” > Select Microsoft Disable NetBios and value of 0x2 from available options and Click Ok

Conclusion
Disabling both LLMNR and NBT-NS on client machines and servers can be reduce the risk of the internal network access to the domain by the attacker. Also, Operating System Hardening and strong password policies which helps to prevent from such attack.

Restrict the VLAN communication between hosts on the same network, you can reduce the such a incident.

Less Privilege Model for regular account ; Create another which should be used only for Administrative activity.

 

 5,268 total views,  5 views today

Leave a Reply

Your email address will not be published. Required fields are marked *