LLMNR, NBT-NS, and mDNS Poisoning Attacks

Introduction

In today's interconnected digital landscape, internal network security is paramount. While external threats often grab headlines, internal vulnerabilities can pose equally significant risks. One such vulnerability involves the exploitation of network protocols like LLMNR (Link-Local Multicast Name Resolution), NBT-NS (NetBIOS Name Service), and mDNS (Multicast DNS). Attackers can leverage these protocols to perform poisoning attacks, capturing user password hashes and potentially compromising your entire network.

Understanding LLMNR, NBT-NS, and mDNS Poisoning Attacks

What Are These Protocols?

• LLMNR (Link-Local Multicast Name Resolution): A protocol used by Windows systems for name resolution when standard DNS lookups fail.
• NBT-NS (NetBIOS Name Service): An older protocol for name resolution in Windows networks, primarily for backward compatibility.
• mDNS (Multicast DNS): Used by devices to resolve hostnames to IP addresses within small networks without a unicast DNS server.

How do Poisoning Attacks Work?

• Name Resolution Failures: When a computer cannot resolve a hostname via DNS, it falls back to LLMNR or NBT-NS.
• Exploiting the Protocols: Attackers can spoof responses to these requests, redirecting traffic to malicious servers.
• Capturing Credentials: Users may unknowingly send authentication credentials to the attacker's system, allowing them to capture password hashes.

What are the Implications of a Successful Attack?

• Credential Theft: Attackers can obtain hashed passwords, which can be cracked to reveal plaintext passwords.
• Unauthorized Access: With valid credentials, attackers can access sensitive systems and data.
• Privilege Escalation: Gaining administrative rights to deploy malware or further compromise the network.
• Data Breach Risks: Potential exposure of confidential information, leading to compliance violations and reputational damage.
  
  

Recommendation: Disabling Unnecessary Name Resolution Protocols

To mitigate these risks, it's crucial to evaluate the necessity of LLMNR, NBT-NS, and mDNS within your network and consider disabling them if they're not essential.

Assess Operational Requirements

• Identify Dependencies: Ensure that no critical applications or services rely on these protocols.
• Compatibility Testing: Test the impact of disabling these protocols in a controlled environment before full implementation.
  
  

Disable LLMNR Using Group Policy

Navigate to Computer Configuration ➔ Administrative Templates ➔ Network ➔ DNS Client.

Enable the policy "Turn off multicast name resolution".

Effect: This prevents systems from using LLMNR for name resolution, forcing them to rely solely on DNS.

Disable NBT-NS Via Network Adapter Settings

Open Network Connections ➔ right-click on the adapter➔ select Properties.

Click on Internet Protocol Version 4 (TCP/IPv4), then Properties ➔ Advanced ➔ WINS tab.

Select "Disable NetBIOS over TCP/IP".

Disable NBT-NS Using DHCP Scope Options

Set the "Disable NetBIOS over TCP/IP" option (usually option 001) to ensure all DHCP clients disable NBT-NS.

Effect: Disabling NBT-NS reduces the attack surface for poisoning attacks exploiting NetBIOS name resolution.

Disable mDNS on Windows Systems

mDNS isn't commonly used, but if present, disable related services like Function Discovery Resource Publication and Function Discovery Provider Host.

Disable mDNS on Other Operating Systems

Consult the specific documentation to disable mDNS services.

Effect: Prevents exploitation via mDNS protocol, which could be used in similar poisoning attacks.

Enhance DNS Infrastructure

• Ensure DNS Reliability: A robust DNS reduces fallback to less secure protocols.
• Internal DNS Servers: Use internal DNS servers with proper configurations to handle all name resolution requests.
• DNS Security Extensions (DNSSEC): Implement DNSSEC to add an extra layer of security to DNS queries.

Monitor Network Traffic

• Intrusion Detection Systems (IDS): Deploy IDS to detect suspicious activities related to name resolution.
• Regular Audits: Conduct network audits to identify any unauthorized systems or anomalies.

Educate Employees

• Security Awareness Training: Teach staff about the risks of network attacks and safe computing practices.
• Reporting Mechanisms: Encourage reporting of unusual system behavior or security concerns.

Benefits of Implementing These Recommendations

• Improved Security Posture: Reduces vulnerability to internal attacks and unauthorized access.
• Protection of Sensitive Data: Safeguards user credentials and confidential information.
• Regulatory Compliance: Helps meet data protection standards and avoid potential fines.
• Operational Continuity: Minimizes the risk of disruptions caused by security breaches.
• Employee Confidence: Fosters a culture of security awareness and responsibility.

Conclusion

LLMNR, NBT-NS, and mDNS are legacy protocols that, while designed to aid in network functionality, can introduce significant security vulnerabilities if left unmanaged. By disabling these protocols and reinforcing your DNS infrastructure, you can significantly reduce the risk of poisoning attacks and protect your organization's assets.