Vulnerability Walkthrough – NBNS and LLMNR Spoofing

In this blog, we are going to walk through one of the most common ways we get an initial foothold on a network during an internal penetration test: NBNS and LLMNR Spoofing. First, we’ll discuss what these two technologies are, then we’ll talk about how to exploit them and the potential impact. Finally, we’ll discuss what actions you should take to protect your network from these types of attacks. With that, let’s dive in.

What are NBNS and LLMNR?

Both NetBIOS Name Server and Local-Link Multicast Name Resolution (NBNS and LLMNR) are protocols that a Windows computer uses to look for a host on the internal network when a host’s IP address cannot be resolved through the organizational DNS (Domain Name Server) server. This can be anything from a file server your machine is trying to map, to a web portal you are trying to access, to even background processes looking for things like a proxy server. When a Windows computer attempts to connect to another machine over the network, it follows this basic process:

  1. It checks the local host file. Any machine you have recently talked to is stored in the local host file. This makes it much faster as no network requests have to be made.
  2. If the host isn’t in your local host file, your computer will then query DNS, which is essentially the phone book of your network. It contains all the systems and their addresses on the network.
  3. If for some reason DNS doesn’t know where that host is, your computer will send out a NBNS and/or LLMNR request. This request gets broadcast (or sent to every computer) on the local subnet. Most requests will not reach this point, especially if your DNS is up to date. However, if you mistype the name of a server, or if the server doesn’t exist (like a proxy server if your organization doesn’t use one), these requests will be abundant.

NBNS and LLMNR Spoofing

NBNS and LLMNR spoofing attack diagram

An NBNS and LLMNR Spoofing attack takes advantage of these requests. When these requests are seen on the local subnet, the attacker will respond to them and say, “I know where that server is, in fact, I am that server.” This allows the attacker to capture whatever traffic comes next. Most of the time, this is benign traffic that the attacker can’t do much with. But in the case of a file server, like the example above shows, you have to prove you are allowed to access the file you are trying to open. To do this, the server will send a challenge and the host trying to connect will take that challenge and calculate a new response that combines that challenge with your password. This value will be hashed, but what this allows the attacker to do is take that password offline and crack it. Being able to take a password offline to crack it means they are not limited by the speed of the network, account lockouts, or the potential to be detected. Check out our blog for more information about offline password cracking. Once the attacker cracks that user’s password, they can gain access to any system they have permissions on.

WPAD

So, the other example I mentioned a few times above is a proxy server. In your Internet Explorer settings, there is a check box for “Automatically Detect Proxy Settings.” This is on by default in Windows systems. This is important because it means your computer will look for a proxy server on the internal network and send NBNS/LLMNR requests for that server if it can’t find one. This is known as Web Proxy Auto-Discover (WPAD) and it is significant for two reasons:

  1. First, an attacker can pose as this server (using the spoofing we talked about above) and force users to authenticate to the proxy server in order to get the proxy configuration file. After all, only valid users can access the proxy server. This means that you will follow the same challenge-response process as you would for a file server. For an attacker, this means a lot more passwords to take offline and crack.
  2. Second, an attacker can give you a configuration file stating that he is the proxy. Now, all of your web traffic will route through the attacker’s machine before it gets to the intended host. This allows an attacker to view every request you make to a website (even when you login and provide your password). This also means an attacker can modify any response or redirect you to a malicious server. Alternatively, they could just have some fun and wait until you access CNN and insert a headline for a major earthquake about to hit you.

What You Can Do to Prevent This

To prevent against NBNS and LLMNR spoofing, Triaxiom recommends disabling NBNS and LLMNR if possible, as it is usually unnecessary in a corporate environment. In addition to disabling NBNS and LLMNR, the following measures should be considered:

  • DNS entries should be kept accurate and up-to-date to minimize/eliminate NetBIOS and LLMNR queries.  
  • Using group policy, disable the “automatically detect proxy settings” option.
  • Create a DNS entry for “WPAD” that either points to a corporate proxy server or acts as a placeholder.  Even if the server does not actually host a proxy configuration file, an attacker will not be able to impersonate a WPAD server.  
  • Work to improve the password strength across the organization. This should encompass a stronger password policy and user awareness training. Check out our blog for some information on how to create a stronger password.