NetBIOS/LLMNR POISONING Vulnerability and Solutions
“What is NetBIOS/LLMNR poisoning?” Before asking the question, NetBIOS and LLMNR concepts should be known.
What is NetBIOS and LLMNR?
LLMNR and NBT-NS are components of Microsoft Windows that work as alternative host identification methods. LLMNR is a protocol that performs name resolution for machines and enables host identification when DNS is damaged in a local network. At the same time, the necessary integration was carried out on Linux towards the end of 2014. It can also be used to resolve both IPv4 and IPv6 addresses.
NetBIOS is native network over communication It enables computers that provide communication to communicate with each other and performs name resolution. It's an API, not a protocol. When the operating system is installed on a machine, the NetBIOS name of this machine is assigned. “nbtstatYou can see the NetBIOS names and services on the cmd screen with the "".
NetBIOS Services
- NetBIOS-NS: Name registration and name resolution service. It only offers IPv4 support.
- NetBIOS-DGM: Datagram delivery service for connectionless communication
- NetBIOS-SSN: Session service for connection-oriented communication
It is used in Windows systems to resolve local on-disk domain names that cannot be found with DNS cache, DNS queries and LLMNR protocol. It works as a broadcast, so it doesn't work on IPv6, it only works on IPv4.
How to Do NetBIOS/LLMNR Poisoning?
When the user requests to connect to the neighboring machine on the local network, it first looks in the DNS cache and then in the hosts file. When it does not get results, it sends a query to the DNS server. If the query is negative, it does an LLMNR query and then a NetBios-NS query. The attacker steps in when the victim machine makes a request to a machine that is not on the local network. In fact, when the user who wants to access the "Fileserver" system accidentally executes the "Fileeeeserver" query, this false query triggers the attacker who is listening to the services on the network.
In the system that does not return the query result, it introduces itself as a real machine. Different tools can be used to perform the Offensive Attack. For example, it has open source code “ResponderDuring this query using the ” application, the user information of the victim machine and NTLMv2 Hash aims to capture its value. He can crack the password hash with the help of online/offline tools and reach the unencrypted version of the password.
In this vulnerability, the attacker shows his own IP address as the address of the resources to be accessed and gains access to other sensitive data such as username/password of users who want to reach the resource. Considering that we get the hash information of the local admin or domain admin session, it is quite dangerous.
How to Avoid NetBIOS/LLMNR Poisoning Vulnerability?
- To prevent this vulnerability, which is frequently discovered during penetration testing and web application security testing, LLMNR\NetBIOSIt is recommended by us to turn off . from group policy and user systems. Disabling LLMNR alone is not enough. In such a case, the NetBIOS-NS query comes into play.
- LLMNR protocol can be turned off by setting “Gpedit.msc -> Administrative Templates -> Network -> DNS Client -> Turn off Multicast Resolution option to “enable”.
- In NetBIOS protocol, NetBIOS setting can be turned off by going to WINS tab in TCP/IP configuration on clients and servers. Or run “regedit.exe”. Then HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\ tabs are entered respectively. The DWORD value '0' needs to be replaced with '2'.
- Use server-based security software to block LLMNR / NetBIOS traffic. Enabling SMB Signing can stop NTLMv2 relay attacks. Network intrusion detection and prevention systems can be used. Also, the “Auto-detect proxy server” option in browsers should not be checked.
A report that is reported to you during penetration testing. NetBIOS/LLMNR poisoning vulnerability It can be fixed by following the steps above.