LLMNR/NBT-NS Poisoning

From DevilSec

Key Concepts of LLMNR Poisoning

  • Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR/NBT-NS traffic as if they know the identity of the requested host.
  • The username and NTLMv2 hash will be sent to the adversary controlled system.
  • If the hash is cracked, the adversary now owns the victims account. PWND

Explaining LLMNR Poisoning

Link-Local Multicast Name Resolution (LLMNR) and Netbios Name Service (NBT-NS) are two components of Microsoft Windows machines. LLLMNR was introduced in Windows Vista and is the successor to NBT-NS.

They are both seemingly innocuous components which allow machines on the same subnet help each other identify hosts when DNS fails. So if one machine tries to resolve a particular host, but DNS resolution fails, the machine will then attempt to ask all other machines on the local network for the correct address via LLMNR or NBT-NS.

This seems harmless in theory, but it opens up a major vulnerability that attackers can use to gain full credentials to a system.

LLMNR Poisoning Attack Examples

Live Labs developed for DevilSec Talk : PowerPoint on LLMNR poisoning

Impact of LLMNR Poisoning

If a LLMNR Poisoning attack is successfully done on a victims network, an adversary could gain full control to the victims account. If the victim happens to be a Domain Administrator, the adversary now owns the network. If the NTMLv2 hash cannot be cracked, a Pass-The-Hash attack could then be preformed.

Identifying LLMNR Poisoning Vulnerabilities

  • Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of "0" indicates LLMNR is disabled.
  • Monitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.
  • Deploy an LLMNR/NBT-NS spoofing detection tool. Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques

LLMNR Poisoning Examples

Example:

  1. The victim machine wants to go the print server at \\printserver, but mistakenly types in \\pintserver.
  2. The DNS server responds to the victim saying that it doesn’t know that host.
  3. The victim then asks if there is anyone on the local network that knows the location of \\pintserver
  4. The attacker responds to the victim saying that it is the \\pintserver
  5. The victim believes the attacker and sends its own username and NTLMv2 hash to the attacker.
  6. The attacker can now crack the hash to discover the password


LLMNR Diagram

Tools used for cracking NTMLv2 hashs: Hashcat or JohnTheRipper.

Tool used to intercept the DNS query: Responder.

Remediations

  • Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment.
  • Use host-based security software to block LLMNR/NetBIOS traffic. Enabling SMB Signing can stop NTLMv2 relay attacks.