LLMNR/NBT-NS Poisoning

Exploiting weaknesses in name resolution protocols is a common technique for performing man-in-the-middle (MITM) attacks. Two particularly vulnerable name resolution protocols are Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBNS). Attackers leverage both of these protocols to respond to requests that fail to be answered through higher priority resolution methods, such as DNS. The default enabled status of LLMNR and NBNS within Active Directory (AD) environments allows this type of spoofing to be an extremely effective way to both gain initial access to a domain, and also elevate domain privilege during post exploitation efforts. I’ll just recap two key areas of of LLMNR/NBNS spoofing. First, without implementing some router based wizardry, LLMNR and NBNS requests are contained within a single multicast or broadcast domain respectively. This can greatly limit the scope of a spoofing attack with regards to both the affected systems and potential privilege of the impacted sessions. Second, by default, Windows systems use the following priority list while attempting to resolve name resolution requests through network based protocols:

DNS
LLMNR
NBNS

Which means if the resolution using DNS doesn't fail, the client will probably not try to resolve via LLMNR or NBT-NS !

Now let's go to the technical details :)

Sources & More info :

Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNSNetSPI

PreviousInitial attack vectors NextIntercept and Hashcat

Last updated 4 years ago