I'm under

attack

LLMNR and NBT-NS Protocols

Updated: Nov 22, 2021

How these legacy protocols may be endangering your network


When hacking into a company’s network, one of the biggest hurdles a hacker will need to overcome is gaining authentication. Fortunately for them, many companies are not aware of the legacy protocols that may be lurking on their networks and making it that much easier for an attacker to gain access.

The Risks of LLMNR and NBT-NS

Two such vulnerabilities are the Network Basic Input/Output System Name Service (NBT-NS) and the Link-Local Multicast Names Resolution (LLMNR) protocols, which serve as alternate methods of host identification when DNS fails. This means that if the computer is unable to resolve a request submitted by the user, the query will be broadcasted to the LLMNR or NBT-NS local subnets for resolution.

These protocols are still enabled by default on some Microsoft systems, and if left unchecked they can lead an attacker to network dominance. Luckily, there are multiple preventative measures that IT teams can implement fairly easily.


How this attack works


When a request is broadcasted to a local subnet, an attacker on the network can respond to the request using a tool like Responder, which is programmed to automatically respond to NBT-NS and LLMNR requests and begin the authentication process.


Responder main page
Credentials received

The victim, who now believes the attacker to be their resource, then provides the attacker with their credentials to authenticate to the resource. At this point, the authentication process begins and provides the username and NTLMv2 hash, and the attacker attempts to crack these hashes offline to reduce the noise and traffic on the network to help the threat actor remain undetected. Threat actors also can relay credentials without the need to crack hashes, this is also known as a relay attack.


At this point, the attacker will be able to impersonate the victim on the network. This means that if the victim is a privileged user, the attacker now can assume the role of a privileged user and can continue to move laterally and vertically across the network to achieve network dominance.






How to Prevent These Attacks


The primary concern with these protocols is the inherent trust that the victim assumes with other computers on the network. By posing as resources, victims are likely to share credentials and ultimately allow the attacker to pose as them on the resource.


Mitigation


The best way to prevent these attacks is by disabling the LLMNR and NBT-NS protocols.


Redpoint has found that disabling these services altogether is the best approach. Below are some recommendations to disable services and alternate approaches if disabling these services is not an option.


1. To disable LLMNR, select “Turn OFF Multicast Name Resolution” under Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client in the Group Policy Editor.

Disabling LLMNR

2. To disable NBT-NS, navigate to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced tab > WINS tab and select “Disable NetBIOS over TCP/IP.”

Disabling NBT-NS

Disable LLMNR with Command Line (Single Workstation, Windows 7,8,10)


Run these commands from the command line:

  • REG ADD “HKLM\Software\policies\Microsoft\Windows NT\DNSClient”

  • REG ADD “HKLM\Software\policies\Microsoft\Windows NT\DNSClient” /v ” Enable Multicast” /t REG_DWORD /d “0” /f


Filter LLMNR/NetBIOS Network Traffic


You can also block LLMNR/NetBIOS traffic with a host-based security system or End Point Detection Response (EDR).


If must use or cannot disable LLMNR or NBT-NS protocols, the best course of action is to

  1. Require Network Access Control. The attack will not work if an attacker cannot get onto the network.

  2. Require strong user passwords (e.g., > 15 characters in length and limit common word usage). The more complex the password, the harder it is for an attacker to crack the hash.


You can also look at network segmentation to minimize this type of attack. Network segmentation is useful to isolate systems or limit the lateral movement if attacks are successful and is particularly useful for legacy systems that can’t have LLMNR/NBT-TS turned off.


Detection


Utilizing Network Intrusion Prevention Tools and testing to see if your tool is set up to alert on these types of attacks is a great method to ensure you are protected.


Make sure that you monitor registry changes for “EnableMulticast” in the following registry - HKLM\Software\Policies\Microsoft\Windows NT\DNSClient. Additionally, IT teams should scrutinize Windows event logs for event ID’s 4697 and 7045, which may detect successful relaying attacks. Finally, the best defense against this type of attack is a proactive approach through regular internal network penetration testing to identify if these vulnerabilities exist on your network.


Understanding the risk that legacy protocols pose to your network is key to preventing a successful cyber attack against your company. To learn more about proactive cybersecurity, contact our team at info@redpointcyber.com.