• About
  • Services
    • Penetration Testing
    • Vulnerability Assessment
    • Phishing & Training
    • Strategy & Maturity
    • Information Assurance
    • Cyber Essentials
  • Resources
  • British Data Awards
  • Contact
  • Get a Quote
Menu
  • About
  • Services
    • Penetration Testing
    • Vulnerability Assessment
    • Phishing & Training
    • Strategy & Maturity
    • Information Assurance
    • Cyber Essentials
  • Resources
  • British Data Awards
  • Contact
  • Get a Quote
  • About
  • Services
    • Penetration Testing
    • Vulnerability Assessment
    • Phishing & Training
    • Strategy & Maturity
    • Information Assurance
    • Cyber Essentials
  • Resources
  • British Data Awards
  • Contact
  • Get a Quote
Menu
  • About
  • Services
    • Penetration Testing
    • Vulnerability Assessment
    • Phishing & Training
    • Strategy & Maturity
    • Information Assurance
    • Cyber Essentials
  • Resources
  • British Data Awards
  • Contact
  • Get a Quote
  • 26.04.2021
  • | Jason Johnson
  • Tags: Internal Penetration Testing, Penetration Testing

LLMNR/NBT-NS Poisoning on Windows Domain Environments

While many organisations are adopting cloud-based services and moving away from on-premises infrastructure, a large proportion of IT setups are still reliant on Window’s Active Directory (AD) Domain Services somewhere within their network. Active Directory environments can become a playground for attackers, especially with certain misconfigurations.

Once an attacker breaches an AD administered local network, they will want to gain as much privilege on the domain as quickly and quietly as possible. LLMNR/NBT-NS poisoning is just one of the attacks used to make this happen. In this article we’ll look at how LLMNR/NBT-NS poisoning works, what impact the attacks can have and quick fixes to defend your domain against this threat.

 

What are the LLMNR and NBT-NS protocols?  

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are two name resolution services that Windows machines use to identify host addresses on a network when DNS resolution fails. LLMNR and NetBIOS are enabled by default on modern Windows computers.

When a user requests a named resource, the name of this resource needs to resolve to an IP address so that the user’s computer knows where to send the network traffic. To resolve the name, the user’s computer will try take the following actions in order of priority:

  1. Check if the name resolves to the computer itself (localhost).
  2. Check to see if the name is in the cache or manually specified in the system’s hosts file (C:\Windows\System32\drivers\etc\hosts)
  3. Send a lookup request to the configured DNS server.
  4. Broadcast an LLMNR name query to all machines on the local network.
  5. Broadcast an NBT-NS name query request to all machines on the local network.

 

The LLMNR and NBT-NS queries will be sent to all other hosts on the local network asking them to respond if they know the IP of the hostname being queried. Attackers can exploit this and will respond with their own IP address to direct subsequent network traffic for the requested resource to their machine.

 

How does LLMNR and NBT-NS poisoning work?  

To begin the attack, we start an LLMNR/NBT-NS poisoner such as Responder. Responder can listen for the LLMNR/NBT-NS queries being broadcast on the local network and by default also sets up several different servers, most notably SMB. These will be used to receive authentication requests after the poisoning.

python Responder.py -I eth0 -rdvw

 

You can see below that while listening for events, Responder has picked up an LLMNR query and has proceeded to poison these requests.

 

 

These LLMNR queries were not for any service that could be useful to an attacker, however, if we now go to one of the lab machines where Jo Bloggs is signed in and accidentally mistype a file share name (making use of the SMB protocol), the victim computer will attempt to authenticate to this spoofed share. Please see below where we have tried to look up ‘\\sshare’ which does not exist.

 

 

If we now check back with Responder, we can see that the authentication negotiation has taken place and we have now captured Jo Blogg’s username and NetNTLMv2 (NTLMv2) hash.

 

 

What is the impact of a successful LLMNR/NBT-NS poisoning attack?

LLMNR/NBT-NS poisoning can allow attackers to become the man in the middle for unsuspecting users on the network. In a production environment where LLMNR and NBT-NS are enabled, there will likely be many queries being broadcast by users working on their computers.

There are many ways attackers can use LLMNR/NBT-NS poisoning to increase their privilege on the domain. Some of the common techniques include:

 

Cracking the NTLMv2 hashes

Unfortunately, NTLMv2 hashes cannot be used in a Pass-the-Hash attack (which uses standard NTLM hashes), however, the hashes can be cracked to derive the cleartext password, which can be done using a cracking tool such as hashcat or John the Ripper. If you can obtain the cleartext credentials and the domain is configured to allow remote login via protocols such as SMB (i.e. FilterAdministratorToken is not set to 0 in the registry), you may be able to login to other hosts on the network. Please note that remote login is only possible where the victim user is a local administrator on the target machine.

 

SMB relay

In contrast to using Responder to capture NTLMv2 hashes, you can also disable the SMB server that comes with Responder and use ntlmrelayx (a man-in-the-middle tool) to conduct an SMB relay attack. During this attack, a target host is chosen and ntlmrelayx sets up an SMB server listening for auth requests from other hosts which have had LLMNR/NBT-NS poisoned. Once an auth request comes in, ntlmrelayx forwards the request to the target host and attempts to gain access posing as the requesting machine. This attack can only be successful where SMB signing is turned off, however, it will allow you to gain access to other hosts without ever needing to know the user’s password.

 

How can we defend against LLMNR/NBT-NS poisoning?

The simplest way to defend against LLMNR/NBT-NS poisoning is to disable both LLMNR and NBT-NS completely. For networks that use an ordinary DNS server for name resolution, disabling LLMNR and NBT-NS should have no adverse effects, and by disabling these services you will have closed a prominent security hole.

 

DISABLE LLMNR
  1. Open ‘Group Policy Management’ on the domain controller.
  2. Add a new GPO (Forest -> Domains -> Your Domain -> Group Policy Objects and Right Click -> New)
  3. You can name the new GPO whatever you like but we’ve called it ‘LLMNR Disabled’.
  4. Right Click the new GPO and select ‘edit’.
  5. Go to Computer Configuration -> Policies -> Administrative Templates -> Network -> DNS Client
  6. Double click ‘Turn off multicast name resolution’ and select ‘Enabled’.
  7. Click ‘Apply’ and then ‘OK’

 

DISABLE NBT-NS
  1. Go to Control Panel -> Network and Internet -> Network and Sharing Centre -> Change Adapter Settings
  2. Right click the network interface in use and choose ‘Properties’.
  3. Double click ‘Internet Protocol Version 4 (TCP/IPv4)’ and then click ‘Advanced’
  4. Go to the ‘WINS’ tab, click ‘Disable NetBIOS over TCP/IP’ and then click ‘OK’.

 

Predatech is a cyber security consultancy that offers a range of services including CREST accredited penetration testing and Cyber Essentials/Cyber Essentials Plus assessments. What makes us different? We combine expert cyber security with great customer service and value for money. If you’d like to better understand your security posture, and how to strengthen it from attacks including LLMNR/NBT-NS poisoning, please contact us for a free consultation.

Latest Posts

Securing Your Software Development Life Cycle

It’s been three decades since the advent of the World Wide Web and since then, web content has transformed from serving simple HTML files to…
  • Jason Johnson|
  • 22.04.2022|
READ MORE

British Data Awards 2022 Finalists Announced

With a record 158 entries submitted, competition to be named a Finalist in the British Data Awards 2022 proved to be especially tough. But today…
  • Michael Fotis|
  • 29.03.2022|
READ MORE

Cyber Essentials Plus: A Guide to Certification 2022

Cyber Essentials Plus certification is the highest accreditation offered by the government-backed Cyber Essentials Scheme which aims to help organisations implement the fundamental baseline cyber…
  • Jason Johnson|
  • 10.02.2022|
READ MORE

Securing Your Software Development Life Cycle

It’s been three decades since the advent of the World Wide Web and since then, web content has transformed from serving simple HTML files to…
  • Jason Johnson|
  • 22.04.2022|
READ MORE

British Data Awards 2022 Finalists Announced

With a record 158 entries submitted, competition to be named a Finalist in the British Data Awards 2022 proved to be especially tough. But today…
  • Michael Fotis|
  • 29.03.2022|
READ MORE

Cyber Essentials Plus: A Guide to Certification 2022

Cyber Essentials Plus certification is the highest accreditation offered by the government-backed Cyber Essentials Scheme which aims to help organisations implement the fundamental baseline cyber…
  • Jason Johnson|
  • 10.02.2022|
READ MORE
CREST Accredited

Predatech achieves CREST accredited member status

We’re delighted to announce that Predatech has successfully achieved CREST accredited member status. CREST is recognised globally as the cyber assurance body for the technical…
  • Michael Fotis|
  • 10.01.2022|
READ MORE
SEE ALL ARTICLES
Quick Links
  • About Us
  • Resources
  • British Data Awards
  • Contact
Services
  • Penetration Testing
  • Vulnerability Assessment
  • Phishing Simulation & Training
  • Strategy & Maturity
  • Information Assurance
  • Cyber Essentials

Contact

  • [email protected]
  • 0161 706 0720

© 2021 Predatech Limited

Privacy Policy
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. Find out more by reading our Privacy Policy.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT
Get a Quote
  • *