LLMNR/NBT-NS Poisoning – The Attack That Won’t Die
Overview – LLMNR Poisoning
Despite the growing shift towards cloud-based services and away from on-premises infrastructure, many IT environments still depend on Windows Active Directory (AD) Domain Services somewhere within their network. Where misconfigurations are present, these Active Directory environments can present valuable opportunities for attackers.
If an attacker manages to breach an AD-managed local network, their priority is usually to escalate privileges across the domain as quickly and quietly as possible. One technique commonly used to achieve this is LLMNR/NBT-NS poisoning. In this article, we’ll examine how LLMNR/NBT-NS poisoning works, the potential impact it can have, and some straightforward steps you can take to help defend your internal infrastructure against this threat.
What Are LLMNR/NBT-NS Protocols?
On Windows networks, Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) function as fallback mechanisms when DNS is unable to resolve a hostname. As both protocols are enabled by default on modern Windows systems, they are commonly present across many internal environments.
The below Wireshark output shows LLMNR/NBT-NS broadcast messages within an internal network –
How Does LLMNT/NBT-NS Poisoning Work?
When a user attempts to access a resource by name, the operating system must translate that name into an IP address before any communication can occur. Windows follows a defined sequence to try and resolve the name, working through the following steps in order:
1. Check whether the requested name refers to the local machine (localhost).
2. Check the local DNS cache and the manually configured hosts file (C:\Windows\System32\drivers\etc\hosts).
3. Send a query to the configured DNS server.
4. Broadcast an LLMNR query to all devices on the local network.
5. Broadcast an NBT-NS query to all devices on the local network.
If the process reaches the final two stages, the system is effectively asking every host on the local network whether they know the IP address associated with the requested hostname. Because these queries are broadcast, an attacker on the same network can respond with their own IP address. This can result in the victim’s machine directing traffic intended for the legitimate resource to the attacker’s system instead.
Attack Vectors
Overview – Attack Vectors
LLMNR and NBT-NS poisoning attacks can enable adversaries to position themselves as a man-in-the-middle for unsuspecting users on a network. In production environments where these protocols are active, it is common to see numerous broadcast name resolution requests generated by users during normal activity.
Attackers can leverage LLMNR/NBT-NS poisoning in several ways to escalate privileges within a domain. Some of the most frequently used methods include the following:
3. LLMNR/NBT-NS Poisoning Using Responder
LLMNR/NBT-NS explain here + screenshots
3. NTLM Relaying Using NTLMRelayx
NTLM relaying explain here + screenshots
Recommendations
Overview – Recommendations
The most effective defence against LLMNR and NBT-NS poisoning is to turn off both protocols entirely. In environments that rely on standard DNS servers for name resolution, disabling LLMNR and NBT-NS typically does not disrupt normal operations and mitigate the risks associated with those protocols.
Disable LLMNR
1. Launch Group Policy Management on the domain controller.
2. Create a new Group Policy Object (navigate to Forest → Domains → Your Domain → Group Policy Objects, then right-click and select New).
3. Assign any name you prefer to the policy; for example, “LLMNR Disabled.”
4. Right-click the newly created GPO and choose Edit.
5. Navigate to Computer Configuration → Policies → Administrative Templates → Network → DNS Client.
6. Open Turn off multicast name resolution and set it to Enabled.
7. Select Apply, then click OK to save the changes.
Disable NBT-NS
1. Open Control Panel, then navigate to Network and Internet → Network and Sharing Centre → Change adapter settings.
2. Right-click the active network adapter and select Properties.
3. Select Internet Protocol Version 4 (TCP/IPv4) and click Advanced.
4. Switch to the WINS tab, choose Disable NetBIOS over TCP/IP, and click OK to apply the changes.
Categories
- External Infrastructure (1)
- FAQs (1)
- General (7)
- Internal Infrastructure (4)
- Penetration Testing (4)
- Web Applications (2)
Need a Security Assessment?
Our expert team is available to help you plan your next Penetration Test, Cloud Security Audit, or Cyber Essentials Assessment.
View all our security services >