Capturing Password Hashes: LLMNR/NBT-NS/mDNS Poisoning

In the digital age we live in, attackers are continually developing new techniques to compromise computer systems. However, an attack that was first disclosed over a decade ago at Black Hat USA 2011 is still one of the most common ways we compromise a domain admin account on an engagement.

What is DNS?

The way that computers on a network can communicate using human-readable names such as FILESERVER01 is through a Domain Name System (DNS). This system allows computers to translate these human-readable names to the corresponding machine- readable addresses known as IP addresses.

For example, on an internal network where a computer makes a request to access a resource such as \\FILESERVER01. A DNS request will be made to resolve the hostname FILESERVER01 to the IP address and establish a connection. However, what happens if the DNS server fails to resolve the request?

DNS resolution failing

With Windows devices, several legacy name resolution protocols are enabled by default such as Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT- NS) and Multicast DNS (mDNS). If DNS fails, the computer will fall back to one of these protocols in an attempt to resolve the hostname to the corresponding IP address. The way these protocols work is by sending a request to all the devices on the same subnet, asking the devices if they know the IP address for the corresponding hostname.

How Can Attackers Exploit This?

An attacker with access to the local network can conduct a Man-in-The-Middle (MiTM) attack to abuse these protocols by responding to the broadcast requests with their own IP address. This can result in the victim attempting to authenticate to the attacker's machine and allowing them to receive an NTLMv2(or Net-NTLMv2) challenge/response hash which can be taken offline and potentially cracked depending on the strength of the password. However even if the password is unable to be cracked, we still have the potential to relay these authentication requests to various other services.

NTLM-v2 challenge/response hash via LLMNR, NBT-NS & mDNS Poisoning

How Do I Protect Myself?

To mitigate the risk of LLMNR, NBT-NS and mDNS poisoning attacks it is recommended to disable the protocols if possible. There should be no adverse effect to disabling LLLMNR and NBT-NS if a DNS server is in place on the local network, as this will be used as the primary method of name resolution. Doing so would significantly enhance the security posture, reducing the risk of falling victim to commonly exploited MiTM attacks.

Note that Microsoft currently recommends leaving mDNS running unless of a specific security need, as some technologies utilise the mDNS protocol (Display adapters, chrome cast, printer discovery).

Disable LLMNR via GPO

LLMNR can be disabled through the group policy editor, under the “policy setting” menu under Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client.

Disable NBT-NS via DHCP

NetBIOS Name Service can be set to disable within the DHCP server settings. Once set, any devices that receive a DHCP lease will have NBT-NS disabled via the DHCP option.

Within the DHCP server > scope options > Advanced > Select Microsoft Windows 2000 options > Enable 001 Microsoft Disable Netbios Options > Set value to “0x2”

NBT-NS can also be disabled on individual workstations through the Network Connection Settings.

Navigate to Network Connections > Internet Protocol Version 4 > Properties > General > Advanced > WINS, then select “Disable NetBIOS over TCP/IP”.

Disable mDNS via Registry

mDNS can be disabled through the registry editor. The following registry key can be added to disable mDNS on the local machine.

Note: Microsoft currently advises leaving this running as some technologies utilise the protocol (Display adapters, chrome cast, printer discover).

1. Open Windows Registry Editor
2. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
3. create a DWORD "EnableMDNS" with the value “0”.

To avoid LLMNR, Pentest People would recommend an Internal Infrastructure Assessment to mitigate the risk  of this protocol. The Internal Infrastructure Assessment identifies the risks associated with LLMNR and other protocols, such as NetBIOS, and develops recommendations to reduce or eliminate them.