Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are two protocols that are used to identify a host address on a network when the DNS name resolution, which is the conventional method, fails to do so.

When a DNS server is unable to resolve a request from a requester machine, the latter broadcasts a message to its peer computers asking for the location of the required server. Hackers leverage this operation to steal the credentials of the requester machine.

Hackers silently residing inside the network will listen to the network communication and jump at the opportunity to respond to a requester machine’s LLNMR/NBT-NS request. The requester machine, upon receiving the hacker’s communication, thinks it’s an authentic source and unknowingly shares its NTLMv2 hash, resulting in a credential leak.

How does an LLMNR/NBT-NS strike occur?

A simple explanation of LLMNR/NBT-NS attack

  1. A user wants to access the file server at \\jojofiles, but requests \\jojosfile unknowingly.
  2. As expected, the DNS server cannot recognize the host and does not return the required file server.
  3. The requester machine asks the other machines on the network whether they know the location of \\jojosfile.
  4. A hacker intercepts the message and responds to the machine confirming that it has the location of \\jojosfile.
  5. The requester machine believes the hacker and provides its username and NTLMv2 hash. The hacker can now crack the hash using tools like Hashcat to take control of the account and use it for malicious purposes.

How LLMNR/NBT-NS strike occurs? A flowchart explaining the communication between a client machine and hacker

What are ways to prevent an LLMNR/NBT-NS attack?

  • Disable LLMNR and NBT-NS

(i) To disable LLMNR: Open the Group Policy Editor. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client. Enable Turn off Multicast Name Resolution. This disables LLMNR.

Steps to disable LLMNR

(ii) To disable NBT-NS: Open the Control Panel. Go to Network and Internet > Network Connections. View the Properties of your network adapter. Choose Internet Protocol Version 4 (TCP/IPv4) and click Properties.

Steps to disable NBT-NS or Netbios

 

On the General tab, click Advanced.

Steps to disable Netbios or NBT-NS

Choose the WINS tab. Select Disable NetBIOS over TCP/IP and click OK. This disables NBT-NS.

  • If your organization’s policy doesn’t allow you to disable these protocols, you can implement the following work-around:

(i) Ensure that attackers do not have access to the network by requiring Network Access Control (NAC).

(ii) Set strong password policies for users in the organization so it’s more difficult for attackers to crack the hash.

(iii) Monitor unusual user logons to identify any signs of account compromise.

This can be done using Active Directory auditing solutions like ADAudit Plus.