During a penetration test, we’ve found that a common (and easy) way to gather credentials and gain an initial foothold on the client’s network is to perform a Man-in-the-Middle poisoning attack abusing LLMNR & NBT-NS. Depending on how active users are on the network, this attack can give an adversary valuable information almost immediately. Fortunately, with a little knowledge, this attack can be easily remediated.
What is LLMNR & NBT-NS?
Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are components of Microsoft Windows systems that are alternate methods of host identification when DNS fails. LLMNR is based on the DNS format and enables computers on the same local network to conduct name resolution of other hosts. NBT-NS distinguishes hosts on the network by their NetBIOS name.
The Problem?
As an attacker on the same network as other Windows hosts, LLMNR and NBT-NS can be spoofed by listening for LLMNR (UDP 5455) or NBT-NS (UDP 137) broadcasts going over the wire and respond to them. The attacker pretends that they know the location of the requested host, effectively poisoning the service so that the targets will communicate with the attacker-controlled system. In most cases, the attacker can then trick the target into sending their username and password in the form of an NTLMv2 or v1 hash. This hash is used for network level authentication making access to network resources seamless for the end user. Once the attacker has obtained this hash, it can either be cracked into plaintext if the password is weak or relayed to another host on the network. If the attacker chooses to relay the credential and the account has elevated privileges on the targeted host, the attacker can compromise the host without knowing the plaintext password.
This attack typically uses SMB (445) but can also target the WPAD Proxy service in a Man-in-the-Middle scenario to obtain credentials. This is due to the default Windows setting enabling automatic detection of proxy configuration, which an attacker can spoof.
Windows Server 2008 and below are commonly more susceptible to these attacks, but depending on the environment configuration, higher versions of Windows may also be vulnerable.
An Example:
Popular Tools Used:
Linux:
Windows:
Mitigations:
**Note: Applying the mitigations listed below should not a have negative impact in most situations, however, apply these settings to a test environment before rolling out to a production network. Windows 2000 and below may require the settings to remain untouched depending on the environment.**
Local or domain GPO setting:
The following registry key is set on computers when LLMNR is disabled:
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient
"EnableMulticast" DWORD 0
To disable NetBIOS Name Service on a single machine:
To disable NetBIOS Name Service across a domain with DHCP clients:
Detection of LLMNR & NBT-NS Spoofing
Mitigations against WPAD
Questions? Don't hesitate to reach out to us!
References: