During a penetration test, we’ve found that a common (and easy) way to gather credentials and gain an initial foothold on the client’s network is to perform a Man-in-the-Middle poisoning attack abusing LLMNR & NBT-NS. Depending on how active users are on the network, this attack can give an adversary valuable information almost immediately. Fortunately, with a little knowledge, this attack can be easily remediated.
What is LLMNR & NBT-NS?
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are components of Microsoft Windows systems that are alternate methods of host identification when DNS fails. LLMNR is based on the DNS format and enables computers on the same local network to conduct name resolution of other hosts. NBT-NS distinguishes hosts on the network by their NetBIOS name.
The Problem?
As an attacker on the same network as other Windows hosts, LLMNR and NBT-NS can be spoofed by listening for LLMNR (UDP 5455) or NBT-NS (UDP 137) broadcasts going over the wire and respond to them. The attacker pretends that they know the location of the requested host, effectively poisoning the service so that the targets will communicate with the attacker-controlled system. In most cases, the attacker can then trick the target into sending their username and password in the form of an NTLMv2 or v1 hash. This hash is used for network level authentication making access to network resources seamless for the end user. Once the attacker has obtained this hash, it can either be cracked into plaintext if the password is weak or relayed to another host on the network. If the attacker chooses to relay the credential and the account has elevated privileges on the targeted host, the attacker can compromise the host without knowing the plaintext password.
This attack typically uses SMB (445) but can also target the WPAD Proxy service in a Man-in-the-Middle scenario to obtain credentials. This is due to the default Windows setting enabling automatic detection of proxy configuration, which an attacker can spoof.
Windows Server 2008 and below are commonly more susceptible to these attacks, but depending on the environment configuration, higher versions of Windows may also be vulnerable.
An Example:
- The victim tries to connect to a file share, called “CompnayShare”, which was accidently misspelled.
- The name resolution is then checked against the host file on the system. If the information is not in the host file a local DNS cache query is made. If the DNS cache does not contain the information requested, it moves onto the DNS server on the local network.
- If the DNS Server does not have a corresponding record, the name of the system is sent as LLMNR, NetBIOS-NS multicast query.
- Since the query is multicast, the attacker listens to network traffic and catches the name resolution query. The attacker then tells the victim that the attacker’s system is the host the victim is looking for. Ex: “CompnayShare”
- The attacker then responds to all LLMNR and NBT-NS queries, allowing the traffic to be manipulated in order to obtain the victims username and password hash.
Popular Tools Used:
Linux:
- Responder – Developed by SpiderLabs
- Man-in-the-Middle Framework (MiTMf) – Developed by Byt3bl33d3r
- LLMNR_Response Module in the Metasploit Framework
- Nbnspoof – Developed by Robert McGrew
Windows:
- Inveigh – Developed by Kevin Robertson
Mitigations:
**Note: Applying the mitigations listed below should not a have negative impact in most situations, however, apply these settings to a test environment before rolling out to a production network. Windows 2000 and below may require the settings to remain untouched depending on the environment.**
Local or domain GPO setting:
- Click Start
- Type gpedit.msc in the text box
- Navigate to Local Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> DNS Client
- In the DNS Client Folder, double click on “Turn Off Multicast Name Resolution” and set it to “Enabled”
The following registry key is set on computers when LLMNR is disabled:
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient
"EnableMulticast" DWORD 0
To disable NetBIOS Name Service on a single machine:
- Open Control Panel
- Under "Network and Internet”, click "View network status and tasks”
- Click “Change adapter settings”
- Right-click “Local area connection” and then click “Properties”
- Double-click on “Internet Protocol Version 4 (TCP/IPv4)”, click “Advanced” then click on the “WINS” (Windows Internet Name Service) tab
- Click on “Disable NetBIOS over TCP/IP"
To disable NetBIOS Name Service across a domain with DHCP clients:
Detection of LLMNR & NBT-NS Spoofing
- Deploy an LLMNR/NBT-NS spoofing detection tool.
- Conveigh – Developed by Kevin-Robertson
- Monitor for traffic for UDP 5355 and UDP 137 if LLMNR/NetBIOS.
- Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of "0" indicates LLMNR is disabled.
Mitigations against WPAD
- Create DNS entry for WPAD that points to the internal proxy server so the attacker cannot manipulate the traffic.
- Disable “Autodetect Proxy Settings” in Internet Explorer using Group Policy.
Questions? Don't hesitate to reach out to us!
References:
- https://github.com/SpiderLabs/Responder
- https://attack.mitre.org/techniques/T1171/
- https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
- https://medium.com/secjuice/man-in-the-middle-attack-using-arp-spoofing-fa13af4f4633
- https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
- https://adsecurity.org/?p=3299