LLMNR Attack

Link-Local Multicast Name Resolution

What is LLMNR?

LLMNR is a protocol that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local network without requiring a DNS server or DNS configuration.

When a host’s DNS query fails (i.e., the DNS server doesn’t know the name), the host broadcasts an LLMNR request on the local network to see if any other host can answer.

LLMNR is the successor to NetBIOS. NetBIOS (Network Basic Input/Output System) is an older protocol that was heavily used in early versions of Windows networking. NBT-NS is a component of NetBIOS over TCP/IP (NBT) and is responsible for name registration and resolution. Like LLMNR, NBT-NS is a fallback protocol when DNS resolution fails. It allows local name resolution within a LAN.

sudo responder -I eth0 -dwP

Mitigated

Main Defense – Disable LLMNR and NBT-NS

To disable LLMNR, select “Turn OFF Multicast Name Resolution” under Computer Configuration -> Administrative Templates -> Network > DNS Client in the Group Policy Editor of Active Directory.

To disable NBT-NS, navigate to Network Connections > Network Adapter Properties > TCP/IPv4 Properties > Advanced tab > WINS tab and select “Disable NetBIOS over TCP/IP” in Active Directory. This only works locally.

set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip* -Name NetbiosOptions -Value 2

Confirming Our Mitigation

We can confirm that we have mitigated LLMNR by running the following command in PowerShell and receiving a ‘0’ in return:

$(Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -name EnableMulticast).EnableMulticast

Click the image to view in full resolution.

We can confirm that we have mitigated NBT-NS by running the following command in cmd.exe and receiving a ‘2’ in return:

wmic nicconfig get caption,index,TcpipNetbiosOptions