fbpx
TCM Security is offering free Active Directory Health Checks to any company with 10 or more employees. To inquire, please contact us.

0. Overview

Active Directory (AD) stands as a foundational piece for many organizational networks, streamlining administrative tasks and enhancing productivity. However, out of the box, AD comes bundled with various “features” that can be a goldmine for attackers. Notably, protocols like LLMNR can pose significant security risks, especially for organizations that have never undergone a penetration test. This blog delves deep into the intricacies of LLMNR and the vulnerabilities it introduces, offering insights into its potential impacts and mitigation strategies.

1. What is LLMNR?

LLMNR is a protocol that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local network without requiring a DNS server or DNS configuration.

When a host’s DNS query fails (i.e., the DNS server doesn’t know the name), the host broadcasts an LLMNR request on the local network to see if any other host can answer.

LLMNR is the successor to NetBIOS. NetBIOS (Network Basic Input/Output System) is an older protocol that was heavily used in early versions of Windows networking. NBT-NS is a component of NetBIOS over TCP/IP (NBT) and is responsible for name registration and resolution. Like LLMNR, NBT-NS is a fallback protocol when DNS resolution fails. It allows local name resolution within a LAN.

2. How is Active Directory vulnerable to LLMNR?

When a computer tries to resolve a domain name and fails via the standard methods (like DNS), it sends an LLMNR query across the local network. An attacker can listen for these queries and respond to them, leading to potential unauthorized access in Active Directory.

LLMNR has no authentication mechanism. Anyone can respond to an LLMNR request, which opens the door to potential attacks. When a computer tries to resolve a domain name and fails via the standard methods (like DNS), it sends an LLMNR query across the local network. An attacker can listen for these queries and respond to them, leading to potential unauthorized access in the Active Directory environment.

3. Exploiting LLMNR (AKA LLMNR Poisoning) in Active Directory

LLMNR poisoning is an attack where a malicious actor listens for LLMNR requests and responds with their own IP address (or another IP of their choosing) to redirect the traffic. This can lead to credential theft and relay attacks in Active Directory. Here is a sample walkthrough.

Step 1: The Attacker runs Responder

sudo responder -I eth0 -dwP
screenshot of the nbt-ns llmnr responder running

Step 2: An Event Occurs in the Network and Triggers LLMNR

llmnr event in responder reveals ip address, domain, username, and password hash

When a LLMNR event occurs in the network and is maliciously responded to, the attacker will obtain sensitive information, including:

  • The IP address of the victim (in this example: 10.0.3.7)
  • The domain and username of the victim (in this example: MARVEL\fcastle)
  • The victim’s password hash

With the victim’s hash in hand, we can attempt to take the hash offline and crack it.

Step 3: Cracking the Victim’s Hash

We can now use a password cracking tool, such as Hashcat, to attempt to crack the victim’s hash.

hashcat –m 5600 <hashfile.txt> <wordlist.txt>
Using Hashcat to crack the victim's password

We have successfully cracked the victim’s password hash, which was found to be “Password1“.

4. How can LLMNR Poisoning be Mitigated in Active Directory?

Main Defense – Disable LLMNR and NBT-NS

To disable LLMNR, select “Turn OFF Multicast Name Resolution” under Computer Configuration > Administrative Templates > Network > DNS Client in the Group Policy Editor of Active Directory.

Turn off multicast name resolution in Active Directory

Click the image to view in full resolution.

To disable NBT-NS, navigate to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced tab > WINS tab and select “Disable NetBIOS over TCP/IP” in Active Directory. This only works locally.

series of dialog windows showing how to disable NetBIOS over TCP/IP in Active Directory

Click the image to view in full resolution.

To disable NBT-NS via GPO in Active Directory, we can simply write a PowerShell script (see below) and save it in Startup Scripts.

set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip* -Name NetbiosOptions -Value 2
Powershell script to disable NBT-NS saved in the Startup Scripts section

Click the image to view in full resolution.

Now add the script to Startup Scripts in Computer Configuration > Policies > Windows Settings > Scripts > Startup

Add script to Startup Scripts in Active Directory GPO

Click the image to view in full resolution.

Confirming Our Mitigation

We can confirm that we have mitigated LLMNR by running the following command in PowerShell and receiving a ‘0’ in return:

$(Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -name EnableMulticast).EnableMulticast
Properly remediated LLMNR

Click the image to view in full resolution.

We can confirm that we have mitigated NBT-NS by running the following command in cmd.exe and receiving a ‘2’ in return:

wmic nicconfig get caption,index,TcpipNetbiosOptions
Properly remediated NBT-NS

Alternate Defenses

If a company must use or cannot disable LLMNR/NBT-NS in Active Directory, the best course of action is to:

  • Require Network Access Control.
  • Require strong user passwords (e.g., >14 characters in length and limit common word usage). The more complex and longer the password, the harder it is for an attacker to crack the hash.

Penetration Testing

Conducting a penetration test is instrumental in uncovering Active Directory vulnerabilities associated with protocols like LLMNR. When left unchecked, LLMNR can be a prime target for attackers, given its susceptibility to poisoning and man-in-the-middle attacks. Through penetration testing, organizations can actively simulate these potential attack vectors, obtaining a clear picture of their existing vulnerabilities. Beyond mere identification, the insights gleaned from such tests offer a roadmap to remediate these weaknesses, ensuring that the organization’s network remains resilient against real-world cyber threats leveraging LLMNR vulnerabilities.

Conclusion

In the dynamic landscape of networking and cybersecurity, understanding protocols like LLMNR and NBT-NS is paramount. While these protocols were designed to simplify name resolution on local networks, their inherent vulnerabilities can inadvertently create gateways for attackers. The lack of authentication in both LLMNR and NBT-NS responses leaves networks susceptible to spoofing and man-in-the-middle attacks. As the line between user convenience and security blurs, it’s vital for organizations to prioritize the latter. Disabling these legacy protocols, regular patching, and fostering a robust cybersecurity culture are imperative steps towards ensuring network safety in today’s interconnected world.

If you are looking to learn more about LLMNR poisoning and Active Directory, join our one day live training session on September 27th! We review Active Directory vulnerabilities including LLMNR, SMB Relay Attacks, Kerberoasting, and how they can be defended against. Limited to 50 spots, sign up today!

About TCM Security

TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.

Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com

Penetration Testing – PCI Compliance – Auditing

See How We Can Secure Your Assets

Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.

 

tel: (877) 771-8911 | email: info@tcm-sec.com