Securing business data
Call us today on 020 7592 8800

Blog

The Knowledge Base: Local Network Attacks - LLMNR & NBT-NS Poisoning

by Jess Tanner | Jan 23, 2017
Pen Testing

Blog written by: 
Kumail Hussain, Penetration Tester, CNS Group.

The following blog looks at a well known local network attack vector. The attack in question is NBNS (refered to as NBT-NS sometimes) and LLMNR (Link Layer Multicast Name Resolution) spoofing (or poisoning).

NBT-NS Protocol

Netbios Name Service (NBNS / NBT-NS) is part of the NetBios TCP protocol suite, which was developed in 1983, to enable communication between computers within a Local Area Network (LAN).  NBNS is the name resolution component of the TCP protocol suite and works by broadcasting messages across the local network segment in order to resolve the names of hosts.

Link Layer Multicast Name Resolution Protocol (LLMNR) Protocol

LLMNR (Link-Local Multicast Name Resolution) is a protocol that was introduced with Windows Vista (Supports IPV6) and is based upon the Domain Name System (DNS).

NetBIOS over TCP/IP is enabled by default across all network interfaces on windows machines or by the DHCP server.  LLMNR is enabled by default on all network interfaces on machines running Windows Vista and later (7, Server 2008, 8, Server 2012, 10). It is important to take note that both NBNS & LLMNR protocols fall-back to DNS for being the primary method for name resolutions.

From vista onwards the fall-back looks as follows:-

  • Domain Name Service (DNS)DNS Resolver CacheCNS arrow 2
    • DNS Servers
  • Link Layer Multicast Name Resolution (LLNMR)
    • LLNMR Cache
    • Multicast (IPv6 FF02::1:3)(IPv4 224.0.0.252)
  • NetBios (NBNS)
    • WINS Servers (if applicable)
    • LMHosts File
    • NBNS Broadcast

Vulnerability

During penetration tests one of the most popular methods to escalate privileges is to listen for windows broadcast traffic on a local network segment. By intercepting and manipulating name resolution traffic, it is possible to redirect authentication traffic to the attackers machine in a man in the middle (MitM) attack.

Whilst both protocols have their uses, they are inherently vulnerable to attack.  A common misconception is that NetBIOS is required in order for Windows file and printer sharing to work, but this is not always the case. The outcome of these attacks against LLMNR and NBT-NS can result in the disclosure of Domain User names and their respective credentials, in hashed format or on occasion via clear-text.

Having now obtained the challenge/response in hash format, it is possible to perform offline brute-force password cracking techniques in order to obtain the clear-text credentials using common tools such as hashcat [1] or any other password cracking tool. If weak passwords have been used, these credentials can now be leveraged on a domain to access sensitive information that may otherwise have not been available; in a worse case scenario if domain administration credentials can be gathered it could result in the compromise of the entire domain.

The following snippet shows an example of the attack in a simplistic manner using a tool called 'Responder' published by Laurent Gaffie [2], to demonstrate a domain session of a server sending a administrator users domain password in NTMLv2 hash format back to an attacker. (Please excuse the redactions):

[*] [LLMNR]  Poisoned answer sent to X.X.X.X for name DEMO-PC

[*] [LLMNR]  Poisoned answer sent to X.X.X.X for name DEMO-PC

[SMB] NTLMv2 Client   : #[X.X.X.X]

[SMB] NTLMv2 Username : #[XXX\administrator]

[SMB] NTLMv2 Hash     : #[administrator::XXX:1122334455667788:F6EE254E6B4C2DF4FFB390F36F781021:01010000000000007
1B7CE2B9B50D4A558A0E79EE526A3005248029CB4E91C9F12017D0042000100160053004D0042002D0054004
–--------snip –------------

Remediation - Disable NetBIOS over TCP/IP

 

There are unfortunately no global settings for disabling NetBIOS over TCP/IP, and changes must be made for each individual network interface, this can be achieved in multiple ways:

  • Manually: Control Panel > Network and Internet > {Network adapter name} > Properties > Network Connections > Internet Protocol Version 4 > Properties >Advanced > WINS tab > Disable NetBIOS over TCP/IP
  • Via the registry (set the following value to 2): HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{GUID}\NetbiosOptions

* Please note that GUID refers to the unique identifier of the network interface adapter

Disabling of the aforementioned vulnerable protocols on both workstation and servers within a corporate environment will help to reduce the attack surface available to an attacker or indeed to certain malware types which have also been observed in the wild making use of such a technique. All such system hardening should of course be conducted in combination with other common good security practices, and any changes to systems made and tested in a non production environment before being rolled out globally.

Click here to find out more or to speak to one of our experts.

References:-
[1] hashcat - https://hashcat.net/hashcat/
[2] Github - SpiderLabs Responder https://github.com/SpiderLabs/Responder

Other References & Further Reading:-
Github – Inveigh - https://github.com/Kevin-Robertson/Inveigh 
Metasploit - NetBIOS Name Service Spoofer - https://www.rapid7.com/db/modules/auxiliary/spoof/nbns/nbns_response 
Microsoft – Link Local Multicast Name Resolution - https://technet.microsoft.com/library/bb878128
NCC Group - Jon Mcfarlane - http://bit.ly/2jTeGD0 


Blogs