0. Overview
Active Directory (AD) stands as a foundational piece for many organizational networks, streamlining administrative tasks and enhancing productivity. However, out of the box, AD comes bundled with various “features” that can be a goldmine for attackers. Notably, protocols like LLMNR can pose significant security risks, especially for organizations that have never undergone a penetration test. This blog delves deep into the intricacies of LLMNR and the vulnerabilities it introduces, offering insights into its potential impacts and mitigation strategies.
1. What is LLMNR?
LLMNR is a protocol that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local network without requiring a DNS server or DNS configuration.
When a host’s DNS query fails (i.e., the DNS server doesn’t know the name), the host broadcasts an LLMNR request on the local network to see if any other host can answer.
LLMNR is the successor to NetBIOS. NetBIOS (Network Basic Input/Output System) is an older protocol that was heavily used in early versions of Windows networking. NBT-NS is a component of NetBIOS over TCP/IP (NBT) and is responsible for name registration and resolution. Like LLMNR, NBT-NS is a fallback protocol when DNS resolution fails. It allows local name resolution within a LAN.
2. How is Active Directory vulnerable to LLMNR?
LLMNR has no authentication mechanism. Anyone can respond to an LLMNR request, which opens the door to potential attacks. When a computer tries to resolve a domain name and fails via the standard methods (like DNS), it sends an LLMNR query across the local network. An attacker can listen for these queries and respond to them, leading to potential unauthorized access in the Active Directory environment.
3. Exploiting LLMNR (AKA LLMNR Poisoning) in Active Directory
LLMNR poisoning is an attack where a malicious actor listens for LLMNR requests and responds with their own IP address (or another IP of their choosing) to redirect the traffic. This can lead to credential theft and relay attacks in Active Directory. Here is a sample walkthrough.
Step 1: The Attacker runs Responder
sudo responder -I eth0 -dwP
Step 2: An Event Occurs in the Network and Triggers LLMNR
When a LLMNR event occurs in the network and is maliciously responded to, the attacker will obtain sensitive information, including:
- The IP address of the victim (in this example: 10.0.3.7)
- The domain and username of the victim (in this example: MARVEL\fcastle)
- The victim’s password hash
With the victim’s hash in hand, we can attempt to take the hash offline and crack it.
Step 3: Cracking the Victim’s Hash
We can now use a password cracking tool, such as Hashcat, to attempt to crack the victim’s hash.
hashcat –m 5600 <hashfile.txt> <wordlist.txt>
We have successfully cracked the victim’s password hash, which was found to be “Password1“.
4. How can LLMNR Poisoning be Mitigated in Active Directory?
Main Defense – Disable LLMNR and NBT-NS
To disable LLMNR, select “Turn OFF Multicast Name Resolution” under Computer Configuration > Administrative Templates > Network > DNS Client in the Group Policy Editor of Active Directory.
Click the image to view in full resolution.
To disable NBT-NS, navigate to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced tab > WINS tab and select “Disable NetBIOS over TCP/IP” in Active Directory. This only works locally.
Click the image to view in full resolution.
To disable NBT-NS via GPO in Active Directory, we can simply write a PowerShell script (see below) and save it in Startup Scripts.
set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip* -Name NetbiosOptions -Value 2
Click the image to view in full resolution.
Now add the script to Startup Scripts in Computer Configuration > Policies > Windows Settings > Scripts > Startup
Click the image to view in full resolution.
Confirming Our Mitigation
We can confirm that we have mitigated LLMNR by running the following command in PowerShell and receiving a ‘0’ in return:
$(Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -name EnableMulticast).EnableMulticast
Click the image to view in full resolution.
We can confirm that we have mitigated NBT-NS by running the following command in cmd.exe and receiving a ‘2’ in return:
wmic nicconfig get caption,index,TcpipNetbiosOptions
Alternate Defenses
If a company must use or cannot disable LLMNR/NBT-NS in Active Directory, the best course of action is to:
- Require Network Access Control.
- Require strong user passwords (e.g., >14 characters in length and limit common word usage). The more complex and longer the password, the harder it is for an attacker to crack the hash.
Penetration Testing
Conducting a penetration test is instrumental in uncovering Active Directory vulnerabilities associated with protocols like LLMNR. When left unchecked, LLMNR can be a prime target for attackers, given its susceptibility to poisoning and man-in-the-middle attacks. Through penetration testing, organizations can actively simulate these potential attack vectors, obtaining a clear picture of their existing vulnerabilities. Beyond mere identification, the insights gleaned from such tests offer a roadmap to remediate these weaknesses, ensuring that the organization’s network remains resilient against real-world cyber threats leveraging LLMNR vulnerabilities.
Conclusion
In the dynamic landscape of networking and cybersecurity, understanding protocols like LLMNR and NBT-NS is paramount. While these protocols were designed to simplify name resolution on local networks, their inherent vulnerabilities can inadvertently create gateways for attackers. The lack of authentication in both LLMNR and NBT-NS responses leaves networks susceptible to spoofing and man-in-the-middle attacks. As the line between user convenience and security blurs, it’s vital for organizations to prioritize the latter. Disabling these legacy protocols, regular patching, and fostering a robust cybersecurity culture are imperative steps towards ensuring network safety in today’s interconnected world.
If you are looking to learn more about LLMNR poisoning and Active Directory, join our one day live training session on September 27th! We review Active Directory vulnerabilities including LLMNR, SMB Relay Attacks, Kerberoasting, and how they can be defended against. Limited to 50 spots, sign up today!
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
Penetration Testing – PCI Compliance – Auditing
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.