LLMNR Poisoning

LLMNR Poisoning

Info
Description:


LLMNR poisoning is a network-based attack where an attacker sets up a rogue machine on the network to intercept name resolution requests. When a machine on the network attempts to access a file-sharing resource or hostname that is unavailable via DNS, it falls back on Link-Local Multicast Name Resolution (LLMNR) or NetBIOS Name Service (NBNS). The attacker’s rogue machine responds to these requests, tricking the victim into believing it has found the requested resource. In doing so, the rogue machine can capture the user's or administrator's credentials on the local network (LAN) in the form of NTLMv1 or NTLMv2 hashes. The attacker perform offline rainbow table attack or pass the hash attacks through getting access to target machine.



Info
Impact:
1.Credentials theft:
An attacker can gain access to user credentials on the target network or machines. Therefore, even if the credentials are in hashed form, an attacker can still access the machine.
2.Privilege Escalation:
With captured credentials, attackers can escalate privileges within a network.
3.Lateral Movement:
Attackers can use stolen credentials to access other machines, applications, or network shares.



Info
Preventation:
1.Disable LLMNR:

To disable LLMNR, select “Turn OFF Multicast Name Resolution” under Computer Configuration > Administrative Templates > Network > DNS Client in the Group Policy Editor of Active Directory.
Note: you disabled LLMNR only but crucial defence is disable MDNS,NBT-NS as well.



2.NBT-NS
To disable NBT-NS, navigate to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced tab > WINS tab and select “Disable NetBIOS over TCP/IP” in Active Directory. This only works locally.


3.MDNS:
Warning
Note: Microsoft currently advises leaving this running as some technologies utilise the protocol (Display adapters, chrome cast, printer discover).
  • Impact on User Experience: Disabling mDNS could affect how some applications or devices work. Users may need to manually configure networked devices (like printers, smart displays, etc.) instead of having them automatically detected.
  • Alternatives: If mDNS is only a concern in the context of LLMNR poisoning, consider using firewall rules or network-level filtering to block mDNS traffic on UDP port 5353 without disabling it on the entire system.
    1. Open Windows Registry Editor
    2. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
    3. create a DWORD "EnableMDNS" with the value “0”.              


    Quote
    To avoid this kind of vulnerability security professionals would recommand the organisation perform peroridic vulnerability assessment and peneteration testing.


    Created by:
              Offensive  security team


     Shakta Technologies Pvt Ltd

      • Related Articles

      • SMB Signing not required vulnerability

        Description: The vulnerability is attacker able to perform the man in the middle attack between SMB server and client communication. This vulnerabilty occurs the lack of SMB misconfiguration. The vulnerability is leads to the MITM,SMB relay attacks. ...

      • SSL Medium Strength Cipher Suite Supported (SWEET32)

        Description: SWEET32 is a cryptographic attack that exploits birthday attacks on 64-bit block ciphers, specifically targeting cipher suites like 3DES (Triple DES) and Blowfish when used in TLS, SSH, IPSec, or other encrypted protocols. Impacts The ...

      • Network VAPT PPT