Press "Enter" to skip to content

LLMNR & NBT-NS, what it is and how to disable it

Published August 4, 2023 by John Brumels

LLMNR (Link-Local Multicast Name Resolution is a protocol used for name resolution on local network when DNS resolution fails. LLMNR operates on both IPv6 and IPv4. When a computer needs to resolve a hostname of a device on the local network, it sends an LLMNR query to the multicast group address. The query is broadcasted to all devices on the network, asking if anyone knows the IP address associated with the requested hostname. If a device recognizes the hostname and has the IP address, it responds directly to the querying device with the IP address information. This direct response bypasses the need for a DNS server when down. However, LLMNR operates with encryption, transmitting data in plain text, which exposes sensitive information to potential sniffers.

NBT-NS (NetBIOS Name Service, is a protocol used in computer networks to resolve NETBIOS names to IP addresses. NETBIOS is an API developed by IBM that allows applications on different computers to communicate over a LAN. NBT-NS specifically hands the name resolution aspect of NetBIOS. NBT-NS operates through broadcast messages within a LAN. When a computer needs to resolve a NetBIOS name to an IP address, it sends a broadcast message to all computers on the local network. The computer that has registered the requested NetBIOS name responds with its corresponding IP address.

The two protocols above are quite similar in operation and as such their vulnerabilities are practically the same. Using Responder, we can exploit these vulnerabilities and gain credentials to a computer. Responder is a powerful tool used for network security assessments and penetration testing. It exploits the weaknesses in the NetBIOS Name Service (NBT-NS) and Link-Local Multicast Name Resolution (LLMNR) protocols to capture network traffic and gather valuable information.

a. Responder takes advantage of NBT-NS vulnerabilities by impersonating legitimate network resources and capturing NBT-NS queries. Here’s how it works:

  1. Responder starts by listening for NBT-NS broadcasts or queries sent by other network devices.
  2. When a device sends an NBT-NS query to resolve a NetBIOS name, Responder intercepts the request and responds with its own crafted response.
  3. The response from Responder includes its IP address, which makes other devices believe that Responder is the legitimate resource being queried.
  4. As a result, the querying device sends any further communication to Responder, revealing valuable information, such as usernames, passwords, or hashes.

b. Responder exploits LLMNR by poisoning LLMNR requests and capturing network traffic. Here’s how Responder utilizes LLMNR weaknesses:

    1. Responder listens for LLMNR multicast queries sent by devices on the network.
    2. Upon receiving an LLMNR query, Responder crafts a response and sends it back to the requesting device.
    3. The response is designed to impersonate a legitimate resource, tricking the device into communicating with Responder.
    4. As a result, any subsequent communication from the device is captured by Responder, potentially revealing sensitive information.

    By capturing NBT-NS and LLMNR traffic, Responder can extract valuable data, including user credentials, hashes, and other network-related information. Ultimately being a great way for potential hackers to gain access to networks. NBT-NS and LLMNR protocols, if not properly secured, can be exploited by malicious actors to intercept network traffic, capture sensitive information, or perform man-in-the-middle attacks. Hackers with access to the network can use tools like Responder to impersonate legitimate resources, trick devices into communicating with them, and potentially gain unauthorized access to systems or obtain sensitive data. It’s crucial for network administrators and security professionals to be aware of these vulnerabilities and implement appropriate security measures to mitigate the risks.

    To disable:

    1. Firstly, in the bottom left corner click on the Windows icon and type in “group policy management”. Alternatively, you can use the Windows shortcut win + r to open the run prompt and enter “gpedit.msc” to access the group policy management window.
    2. Right-click on your domain in Active Directory and select “Create a GPO in this domain, and link it here.”
    3. Name the new Group Policy Object (GPO) accordingly.
    4. Right-click on the newly created GPO and select “Edit.”
    5. In the Group Policy Management Editor, expand “Computer Configuration,” then “Policies,” followed by “Administrative Templates.”
    6. Navigate to “Network” and then “DNS Client.”
    7. Locate the policy named “Turn off Multicast Name Resolution.”
    8. Double-click on the policy to edit its settings.
    9. Select the “Enabled” option to disable LLMNR.
    10. Click “Apply” to apply the changes.
    11. Close the Group Policy Management Editor.

    By following these steps, you have successfully disabled LLMNR (Link-Local Multicast Name Resolution) through Group Policy in your Active Directory environment. This helps enhance your network security by mitigating potential risks associated with the use of this protocol.

    To disable NBT-NS click on the bottom left corner windows icon and type in ”PowerShell”. Right click on PowerShell and click Run as Admin and type the following:

    $regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
    Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}

    Published in Uncategorized

    Leave a Reply

    Your email address will not be published. Required fields are marked *