LLMNR- Link-Local Multicast name Resolution is a protocol used and is still in use by legacy operating systems to provide name resolution services without the need to set a DNS server. The LLMNR protocol is based on the domain name system packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link. LLMNR protocol is included in the following Windows versions: Windows Vista, Windows Server 2008, Windows 7, Windows 8 and Windows 10. In some Linux distributions it is implemented by system. In this blog we delve into the importance of disabling LLMNR and the associated protocols, exploring the potential security risks they pose and the steps to mitigate these threats effectively. What will be discussed:
- What is LLMNR?
- LLMNR vulnerabilities and security risks
- LLMNR Poisoning Explained
- How to Disable LLMNR through a GPO
- Operational risks to disabling LLMNR
- Hardening LLMNR
What is LLMNR
LLMNR protocol was introduced by Microsoft with the goal of improving the user experience for resolving network resources. When a device on a network needs to resolve the name of another device, it will start by querying the DNS server. If the DNS server cannot provide the name, LLMNR protocol can be used to send out a multicast request to all devices on the local network, to check for the UP address associated with the name. This procedure is intended to make it easier for the user and administrator, as there are fewer Errors related to the name resolution.
As of April 2022, Microsoft has begun the process of phasing out both LLMNR and NetBIOS name resolution in favor of mDNS. LLMNR, a Windows protocol, facilitates fast and efficient local network name resolution.
LLMNR vulnerabilities and security risks
What's the issue with LLMNR & Netbios NS Broadcasting?
If the DNS name does not resolve, the client performs an unauthenticated UDP broadcast to the network asking if any other system has the name it's looking for. The fact this process is unauthenticated and broadcasted to the whole network allows any machine on the network to respond and claim to be the target machine. This unsecured way of unauthenticated broadcast is the cause for the a known attack vector called LLMNR poisoning
LLMNR Poisoning Explained
LLMNR Poisoning is a type of man-in-the-middle attack that exploits the LLMNR (Link-Local Multicast Name Resolution) protocol in Windows systems. Man-in-the-Middle (MitM) and Adversary-in-the-Middle (AiTM) attacks are both related to intercepting or manipulating network communications, but they differ in their purpose and often their level of control and access within a network. These types of attacks can be used to steal credentials, perform network reconnaissance, or launch further attacks on the target system or network.
In most cases, LLMNR is achieved using a tool called Responder. It is a popular open-source script usually written in python and used for LLMNR, NBT-NS, and MDNS poisoning. It sets up multiple servers like SMB, LDAP, Auth, WDAP, etc. When run on a network, the Responder script listens to LLMNR queries made by other devices on that network and performs man-in-the-middle attacks on them.
When an attacker executes the responder script, the script listens quietly for events and LLMNR queries. When one occurs, it sends poisoned responses to them. If these spoofing attacks are successful, the responder displays the target’s username and password hash.
The attacker can then try to crack the password hash using various password-cracking tools. The password hash is usually an NTLMv1 hash. If the target’s password is weak it would be brute forced and cracked in little to no time. And when this happens, the attacker would be able to log into the user’s account, impersonate the victim, install malware, or perform other activities like network reconnaissance and data exfiltration.
Hardening the LLMNR protocol involves implementing security measures to reduce vulnerabilities and enhance network protection in Windows environments
Pass the Hash Attacks
The frightening thing about this attack is that sometimes the password hash need not be cracked. The hash itself can be used in a pass the hash attack. A pass the hash attack is one where the cybercriminal uses the uncracked password hash to gain access to the user’s account and authenticate himself.
In a normal authentication process, you enter your password in plain text. The password is then hashed with a cryptographic algorithm (such as MD5 or SHA1) and compared to the hashed version stored in the system’s database. If the hashes match, you become authenticated. But, in a pass the hash attack, the attacker intercepts the password hash during authentication and reuses it to authenticate without knowing the plain text password.
Disabling NetBIOS over TCP is often a security best practice, and it can impact NetBIOS NS broadcasting in the following ways:
- Reduced Dependency
- Security Improvement
- Compatibility Considerations
While NetBIOS NS broadcasting is a fundamental part of NetBIOS for name resolution within a local network, disabling NetBIOS over TCP is a strategic move to enhance network security.
How to Disable LLMNR through a GPO
Here is a step-by-step video on how to disable LLMNR via a GPO
Operational risks to disabling LLMNR
Disabling Link-Local Multicast Name Resolution (LLMNR) can improve network security and mitigate certain risks, as discussed in previous articles. However, it's important to be aware of potential operational risks and drawbacks associated with disabling LLMNR:
Compatibility Issues: Disabling LLMNR might cause problems with older devices or software reliant on LLMNR for local network name resolution. Ensure all network devices and applications can operate smoothly without LLMNR before deactivating it.
User Experience: Disabling LLMNR could result in slower name resolution for local network resources, especially if alternative methods like DNS or NetBIOS aren’t optimized. This could impact user experience and productivity.
Network Resource Discovery: LLMNR aids devices in seamless discovery and connection to other devices on the local network. Disabling it might require users to manually input IP addresses or use other methods, potentially causing usability issues.
Delayed Network Troubleshooting: LLMNR is valuable for network troubleshooting and diagnostics. Disabling it might complicate the quick diagnosis and resolution of local network issues.
Increased Administrative Overhead: Without LLMNR, network administrators may need to rely more on DNS configurations and NetBIOS settings, increasing administrative complexity.
Limited Use Cases: Disabling LLMNR enhances security but might not be necessary in all network setups. Well-segmented, properly configured networks with robust security measures might face minimal LLMNR-related risks.
Hardening LLMNR
Hardening LLMNR protocol refers to a set of security measures and configurations aimed at strengthening its operation within Windows environments. This process involves several steps to minimize vulnerabilities and enhance network protection. To disable LLMNR is the primary step in hardening and often disabling it entirely.
Implementing Network Segmentation: Properly segmenting the network can limit the scope of LLMNR’s operation, reducing its exposure to potential threats and unauthorized access.
Using Secure Name Resolution Protocols: Encouraging the use of more secure name resolution protocols like DNS over DNSSEC can provide better protection against potential LLMNR-related vulnerabilities.
Enabling Security Features: Leveraging Windows security features and group policies to control LLMNR settings can help enhance network security and prevent unauthorized access.
Monitoring and Detection: Employing network monitoring and intrusion detection systems can help detect and respond to suspicious LLMNR activities, enhancing the network’s overall security posture.
