Key Concepts of LLMNR Poisoning
- Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR/NBT-NS traffic as if they know the identity of the requested host.
- The username and NTLMv2 hash will be sent to the adversary controlled system.
- If the hash is cracked, the adversary now owns the victims account. PWND
Explaining LLMNR Poisoning
Link-Local Multicast Name Resolution (LLMNR) and Netbios Name Service (NBT-NS) are two components of Microsoft Windows machines. LLLMNR was introduced in Windows Vista and is the successor to NBT-NS.
They are both seemingly innocuous components which allow machines on the same subnet help each other identify hosts when DNS fails. So if one machine tries to resolve a particular host, but DNS resolution fails, the machine will then attempt to ask all other machines on the local network for the correct address via LLMNR or NBT-NS.
This seems harmless in theory, but it opens up a major vulnerability that attackers can use to gain full credentials to a system.
LLMNR Poisoning Attack Examples
Live Labs developed for DevilSec Talk : PowerPoint on LLMNR poisoning
Impact of LLMNR Poisoning
If a LLMNR Poisoning attack is successfully done on a victims network, an adversary could gain full control to the victims account. If the victim happens to be a Domain Administrator, the adversary now owns the network. If the NTMLv2 hash cannot be cracked, a Pass-The-Hash attack could then be preformed.
Identifying LLMNR Poisoning Vulnerabilities
- Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of "0" indicates LLMNR is disabled.
- Monitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.
- Deploy an LLMNR/NBT-NS spoofing detection tool. Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques
LLMNR Poisoning Examples
- The victim machine wants to go the print server at \\printserver, but mistakenly types in \\pintserver.
- The DNS server responds to the victim saying that it doesn’t know that host.
- The victim then asks if there is anyone on the local network that knows the location of \\pintserver
- The attacker responds to the victim saying that it is the \\pintserver
- The victim believes the attacker and sends its own username and NTLMv2 hash to the attacker.
- The attacker can now crack the hash to discover the password
Tool used to intercept the DNS query: Responder.
- Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment.
- Use host-based security software to block LLMNR/NetBIOS traffic. Enabling SMB Signing can stop NTLMv2 relay attacks.